{
  "threat_severity" : "Low",
  "public_date" : "2024-07-09T14:00:00Z",
  "bugzilla" : {
    "description" : "python-django: Username enumeration through timing difference for users with unusable passwords",
    "id" : "2295936",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2295936"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-208",
  "details" : [ "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.", "A vulnerability was found in Python-Django in the django.contrib.auth.backends.ModelBackend.authenticate() method. This flaw allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2024-09-05T00:00:00Z",
    "advisory" : "RHSA-2024:6428",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "python3x-django-0:4.2.15-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2024-09-05T00:00:00Z",
    "advisory" : "RHSA-2024:6428",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "python-django-0:4.2.15-1.el9ap"
  }, {
    "product_name" : "Red Hat OpenStack Services on OpenShift 18.0",
    "release_date" : "2024-11-13T00:00:00Z",
    "advisory" : "RHSA-2024:9481",
    "cpe" : "cpe:/a:redhat:openstack:18.0::el9",
    "package" : "python-django-0:3.2.12-8.el9ost"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "python-django-0:4.2.16-1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "python-django-0:4.2.16-1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "python-django-0:4.2.16-1.el9pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "python-django-0:4.2.16-1.el9pc"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 1.2",
    "fix_state" : "Affected",
    "package_name" : "ansible-tower",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:certifications:1::el7"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification",
    "cpe" : "cpe:/a:redhat:certifications:1::el8"
  }, {
    "product_name" : "Red Hat Certification Program for Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification",
    "cpe" : "cpe:/a:redhat:certifications:9"
  }, {
    "product_name" : "Red Hat Discovery 1",
    "fix_state" : "Affected",
    "package_name" : "discovery-server-container",
    "cpe" : "cpe:/a:redhat:discovery:1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Out of support scope",
    "package_name" : "python-django20",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django20",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Affected",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:rhui:4::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-39329\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39329" ],
  "name" : "CVE-2024-39329",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}