Homepage
About Snyk

Timing Attack Affecting wagtail package, versions [,2.7.3) [2.8.0, 2.8.2)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-WAGTAIL-568030
  • published 1 May 2020
  • disclosed 1 May 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 1 May 2020

CVE-2020-11037 Open this link in a new tab
CWE-208 Open this link in a new tab

How to fix?

Upgrade wagtail to version 2.7.3, 2.8.2 or higher.

Overview

wagtail is an open source content management system built on Django.

Affected versions of this package are vulnerable to Timing Attack. A potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.

References

CVSS Scores

version 3.1
Expand this section

Snyk

6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

4.7 medium