CVE-2021-21416

Potential sensitive information disclosed in error reports

Severity Score

2.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password).

django-registration es un paquete de registro de usuarios para Django. El paquete django-registration proporciona herramientas para implementar flujos de registro de cuentas de usuario en el framework web de Django. En django-registration anterior a versión 3.1.2, la vista de registro de la cuenta de usuario base no aplicaba filtros correctamente a los datos confidenciales, con el resultado de que los datos confidenciales podrían incluirse en los reportes de errores en lugar de ser eliminados automáticamente por Django. Activar esto requiere: Un sitio está usando django-registration versiones anteriores a 3.1.2, El sitio tiene reportes de error detallados (como los reportes de error enviados por correo electrónico de Django al personal y desarrolladores del sitio) habilitados y se produce un error del lado del servidor (HTTP 5xx) durante un intento de por parte de un usuario de un registro de cuenta. Bajo estas condiciones, los destinatarios del reporte de error detallado verán todos los datos enviados desde el intento de registro de la cuenta, que pueden incluir las credenciales propuestas del usuario (tales como una contraseña)

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-04-01 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (1)

URL	Tag	Source
https://github.com/ubernostrum/django-registration/security/advisories/GHSA-58c7-px5v-82hh	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Django-registration Project Search vendor "Django-registration Project"		Django-registration Search vendor "Django-registration Project" for product "Django-registration"				< 3.1.2 Search vendor "Django-registration Project" for product "Django-registration" and version " < 3.1.2"		django		Affected