CVE-2024-45231 The advisory has been revoked - it doesn't affect any version of package python-django  (opens in a new tab)


Threat Intelligence

EPSS
0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-PYTHONDJANGO-8091237
  • published25 Sept 2024
  • disclosed3 Sept 2024

Introduced: 3 Sep 2024

CVE-2024-45231  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:7.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-django package and not the python-django package as distributed by RHEL.

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).