PYSEC-2024-57 — Vulnetix

PYSEC-2024-57 PUBLISHED

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

Affected Products

Vendor	Product	Versions
PyPI	django	4.2.8, 4.2, 4.2.1

Timeline

Jul 10, 2024 CVE Published
Mar 10, 2025 CVE Updated

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/forum/#%21forum/django-announce url
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ article

Open in Interactive Console →