FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Wagtail -- potential timing attack vulnerability

Affected packages
py35-wagtail < 2.7.3
2.8 <= py35-wagtail < 2.8.2
py36-wagtail < 2.7.3
2.8 <= py36-wagtail < 2.8.2
py37-wagtail < 2.7.3
2.8 <= py37-wagtail < 2.8.2
py38-wagtail < 2.7.3
2.8 <= py38-wagtail < 2.8.2

Details

VuXML ID d5fead4f-8efa-11ea-a5c8-08002728f74c
Discovery 2020-05-04
Entry 2020-05-05

Wagtail release notes:

CVE-2020-11037: Potential timing attack on password-protected private pages

This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)

References

CVE Name CVE-2020-11037
URL https://docs.wagtail.io/en/latest/releases/2.8.2.html
URL https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6