Miggo Logo
Miggo Vulnerability Database
CVE-2024-45231

CVE-2024-45231: Django allows enumeration of user e-mail addresses

3.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45231
GHSA ID
GHSA-rrqc-c2jx-6jgv
EPSS Score
0.16451%
CWE
CWE-203
Published
10/8/2024
Updated
10/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 5.1, < 5.1.15.1.1
Djangopip>= 5.0, < 5.0.95.0.9
Djangopip< 4.2.164.2.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unhandled exceptions in PasswordResetForm's send_mail method. The commit diff shows a try-except block was added to catch email sending failures and log them instead of propagating exceptions. Prior to this fix, failed email delivery (e.g., due to backend issues) would result in server errors, creating an observable discrepancy between valid and invalid email submissions. This allowed attackers to infer registered emails based on HTTP response status codes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *j*n*o v*.*.*, v*.*.*, *n* v*.*.**. T** *j*n*o.*ontri*.*ut*.*orms.P*sswor*R*s*t*orm *l*ss, w**n us** in * vi*w impl*m*ntin* p*sswor* r*s*t *lows, *llows r*mot* *tt**k*rs to *num*r*t* us*r *-m*il ***r*ss*s *y s*n*in* p*sswor

Reasoning

T** vuln*r**ility st*ms *rom un**n*l** *x**ptions in `P*sswor*R*s*t*orm`'s `s*n*_m*il` m*t*o*. T** *ommit *i** s*ows * try-*x**pt *lo*k w*s ***** to **t** *m*il s*n*in* **ilur*s *n* lo* t**m inst*** o* prop***tin* *x**ptions. Prior to t*is *ix, **il*
CVE-2024-45231: Django Auth Pwd Reset Enum Flaw | Miggo