CVE-2020-11037: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

April 30, 2020 (updated May 8, 2020)

In Wagtail, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail’s “Privacy” controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password.

References

nvd.nist.gov/vuln/detail/CVE-2020-11037

Detect and mitigate CVE-2020-11037 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →