CVE-2020-11037: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
(updated )
In Wagtail, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail’s “Privacy” controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password.
References
Detect and mitigate CVE-2020-11037 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →