CVE-2020-15105: User passwords are stored in clear text in the Django session
(updated )
django-two-factor-auth versions 1.11 and before store the user’s password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password, and then leaves before entering their two-factor authentication code.
The severity of this issue depends on which type of session storage you have configured: in the worst case, if you’re using Django’s default database session storage, then users’ password are stored in clear text in your database. In the best case, if you’re using Django’s signed cookie session, then users’ passwords are only stored in clear text within their browser’s cookie store. In the common case of using Django’s cache session store, the users’ password are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis).
References
- github.com/Bouke/django-two-factor-auth
- github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md
- github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359
- github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf
- github.com/advisories/GHSA-vhr6-pvjm-9qwf
- github.com/pypa/advisory-database/tree/main/vulns/django-two-factor-auth/PYSEC-2020-39.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-15105
Detect and mitigate CVE-2020-15105 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →