LOW 3.7

GHSA-rrqc-c2jx-6jgv

Django allows enumeration of user e-mail addresses

Details

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 5.1 Fixed in: 5.1.1

Fix pip install --upgrade 'django>=5.1.1'

PyPI / django

Introduced in: 5.0 Fixed in: 5.0.9

Fix pip install --upgrade 'django>=5.0.9'

PyPI / django

Introduced in: 0 Fixed in: 4.2.16

Fix pip install --upgrade 'django>=4.2.16'

References

https://nvd.nist.gov/vuln/detail/CVE-2024-45231 [ADVISORY]
https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca [WEB]
https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2 [WEB]
https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199 [WEB]
https://docs.djangoproject.com/en/dev/releases/security [WEB]
https://github.com/django/django [PACKAGE]
https://groups.google.com/forum/#%21forum/django-announce [WEB]
https://www.djangoproject.com/weblog/2024/sep/03/security-releases [WEB]