{"id":"GHSA-jjjr-3jcw-f8v6","summary":"Potential Observable Timing Discrepancy in Wagtail","details":"### Impact\nA potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).)\n\nPrivacy settings that restrict access to pages / documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.\n\n### Patches\nPatched versions have been released as Wagtail 2.7.3 (for the LTS 2.7 branch), Wagtail 2.8.2 and Wagtail 2.9.\n\n### Workarounds\nSite owners who are unable to upgrade to the new versions can use [user- or group-based privacy restrictions](https://docs.wagtail.io/en/stable/advanced_topics/privacy.html) to restrict access to sensitive information; these are unaffected by this vulnerability.","aliases":["CVE-2020-11037","PYSEC-2020-153"],"modified":"2026-03-10T23:14:09.308985793Z","published":"2020-05-07T18:04:53Z","database_specific":{"github_reviewed_at":"2020-05-07T18:04:33Z","cwe_ids":["CWE-208","CWE-362"],"severity":"MODERATE","nvd_published_at":"2020-04-30T23:15:11Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11037"},{"type":"WEB","url":"https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf"},{"type":"WEB","url":"https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090"},{"type":"WEB","url":"https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11"},{"type":"WEB","url":"https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml"},{"type":"PACKAGE","url":"https://github.com/wagtail/wagtail"}],"affected":[{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.3"}]}],"versions":["0.1","0.2","0.3","0.3.1","0.4","0.4.1","0.5","0.6","0.7","0.8","0.8.1","0.8.10","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","1.0","1.0b1","1.0b2","1.0rc1","1.0rc2","1.1","1.10","1.10.1","1.10rc1","1.11","1.11.1","1.11rc1","1.12","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.12rc1","1.13","1.13.1","1.13.2","1.13.3","1.13.4","1.13rc1","1.1rc1","1.2","1.2rc1","1.3","1.3.1","1.3rc1","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4rc1","1.5","1.5.1","1.5.2","1.5.3","1.5rc1","1.6","1.6.1","1.6.2","1.6.3","1.6rc1","1.7","1.7rc1","1.8","1.8.1","1.8.2","1.8rc1","1.9","1.9.1","1.9rc1","2.0","2.0.1","2.0.2","2.0b1","2.0rc1","2.1","2.1.1","2.1.2","2.1.3","2.1rc1","2.1rc2","2.2","2.2.1","2.2.2","2.2rc1","2.2rc2","2.3","2.3rc1","2.3rc2","2.4","2.4rc1","2.5","2.5.1","2.5.2","2.5rc1","2.6","2.6.1","2.6.2","2.6.3","2.6rc1","2.7","2.7.1","2.7.2","2.7rc1","2.7rc2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jjjr-3jcw-f8v6/GHSA-jjjr-3jcw-f8v6.json"}},{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.8rc1"},{"fixed":"2.8.2"}]}],"versions":["2.8","2.8.1","2.8rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jjjr-3jcw-f8v6/GHSA-jjjr-3jcw-f8v6.json"}},{"package":{"name":"wagtail","ecosystem":"PyPI","purl":"pkg:pypi/wagtail"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.9rc1"},{"fixed":"2.9"}]}],"versions":["2.9rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jjjr-3jcw-f8v6/GHSA-jjjr-3jcw-f8v6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"}]}