CVE-2020-15105: Cleartext Storage of Sensitive Information
(updated )
Django Two-Factor Authentication All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django’s session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading.
References
- github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md
- github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359
- github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf
- github.com/advisories/GHSA-vhr6-pvjm-9qwf
- nvd.nist.gov/vuln/detail/CVE-2020-15105
Detect and mitigate CVE-2020-15105 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →