CVE-2018-6188

Priority
Medium
Description
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2,
and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially
sensitive information by leveraging data exposure from the
confirm_login_allowed() method, as demonstrated by discovering whether a
user account is inactive.
References
Notes
 ratliff> Upstream notes that 1.8, 1.9, and 1.10 are unaffected
Assigned-to
leosilva
Package
Upstream:released (1:1.11.10-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1.6.11)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1.8.7)
Ubuntu 17.10 (Artful Aardvark):released (1:1.11.4-1ubuntu1.1)
Ubuntu 18.04 LTS (Bionic Beaver):needed
More Information

Updated: 2018-02-07 15:14:16 UTC (commit 14142)