VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-w587-v6fz-aaaf

Essentials
Severities (107)
References (22)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-w587-v6fz-aaaf
Aliases	CVE-2018-16984 GHSA-6mx3-3vqg-hpp2 PYSEC-2018-3
Summary	An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-522	Insufficiently Protected Credentials
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor

System	Score	Found at
cvssv3	2.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16984.json
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00094	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.0113	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
epss	0.01847	https://api.first.org/data/v1/epss?cve=CVE-2018-16984
rhbs	low	https://bugzilla.redhat.com/show_bug.cgi?id=1639398
cvssv3	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-6mx3-3vqg-hpp2
cvssv3.1	3.7	https://github.com/django/django
generic_textual	MODERATE	https://github.com/django/django
cvssv3.1	4.9	https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745
generic_textual	MODERATE	https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745
cvssv3.1	4.9	https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml
generic_textual	MODERATE	https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml
cvssv2	4.0	https://nvd.nist.gov/vuln/detail/CVE-2018-16984
cvssv3	4.9	https://nvd.nist.gov/vuln/detail/CVE-2018-16984
archlinux	Medium	https://security.archlinux.org/AVG-773
cvssv3.1	4.9	https://security.netapp.com/advisory/ntap-20190502-0009
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20190502-0009
cvssv3.1	4.9	https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749
generic_textual	MODERATE	https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749
cvssv3.1	4.9	https://www.djangoproject.com/weblog/2018/oct/01/security-release
generic_textual	MODERATE	https://www.djangoproject.com/weblog/2018/oct/01/security-release

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16984.json
		https://api.first.org/data/v1/epss?cve=CVE-2018-16984
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16984
		https://cwe.mitre.org/data/definitions/200.html
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/django/django
		https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745
		https://github.com/django/django/commit/f5335bc745d4f86d355b69549712885fd1634574
		https://github.com/django/django/pull/10449
		https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml
		https://security.netapp.com/advisory/ntap-20190502-0009
		https://security.netapp.com/advisory/ntap-20190502-0009/
		https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749
		https://www.djangoproject.com/weblog/2018/oct/01/security-release
		https://www.djangoproject.com/weblog/2018/oct/01/security-release/
		http://www.securitytracker.com/id/1041749
1639398		https://bugzilla.redhat.com/show_bug.cgi?id=1639398
ASA-201810-5		https://security.archlinux.org/ASA-201810-5
AVG-773		https://security.archlinux.org/AVG-773
cpe:2.3:a:djangoproject:django::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django::::::::
CVE-2018-16984		https://nvd.nist.gov/vuln/detail/CVE-2018-16984
GHSA-6mx3-3vqg-hpp2		https://github.com/advisories/GHSA-6mx3-3vqg-hpp2

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16984.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16984

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16984

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20190502-0009

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://www.djangoproject.com/weblog/2018/oct/01/security-release

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.40892
EPSS Score	0.00094
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.