Timing Attack Affecting django-allauth package, versions [,65.3.0)

Q: How to fix?

Upgrade django-allauth to version 65.3.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-DJANGOALLAUTH-8600545
published1 Jan 2025
disclosed1 Jan 2025
creditJulie Rymer

Report a new vulnerability Found a mistake?

Introduced: 1 Jan 2025

NewCWE-208 (opens in a new tab)

How to fix?

Upgrade django-allauth to version 65.3.0 or higher.

Overview

django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Affected versions of this package are vulnerable to Timing Attack in the AuthenticationBackend._authenticate_by_email method which allows attackers to determine the existence of user accounts by measuring response times during email/password authentication attempts.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None