{"id":"PYSEC-2020-153","details":"In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.","aliases":["CVE-2020-11037","GHSA-jjjr-3jcw-f8v6"],"modified":"2023-11-01T04:51:29.799945Z","published":"2020-04-30T23:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6"}],"affected":[{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.8"},{"fixed":"2.8.2"},{"introduced":"2.7"},{"fixed":"2.7.3"}]}],"versions":["2.7","2.7.1","2.7.2","2.8","2.8.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2020-153.yaml"}}],"schema_version":"1.7.3"}