CVE-2018-6188 log

Severity Medium
Remote Yes
Type Information disclosure
A regression in Django 1.11.8 and 1.11.9 before 1.11.10 and 2.0 before 2.0.2 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.
Group Package Affected Fixed Severity Status Ticket
AVG-624 python-django, python2-django 1.11.8-1 1.11.10-1 Medium Fixed