Skip to content

Potential sensitive information disclosed in error reports

Low
ubernostrum published GHSA-58c7-px5v-82hh Apr 1, 2021

Package

pip django-registration (pip)

Affected versions

< 3.1.2

Patched versions

3.1.2

Description

Impact

The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django.

Triggering this requires the following conditions:

  • A site is using django-registration < 3.1.2
  • The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled
  • A server-side error (HTTP 5xx) occurs during an attempt by a user to register an account

Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password).

Patches

As of version 3.1.2, django-registration properly applies Django's sensitive_post_parameters() decorator to the base user-registration view, which will cause all data from the HTTP request body to be filtered from detailed error reports in the event of a server-side crash during user account registration.

Note that as applied, this filters all HTTP request data from error reports. To selectively allow some fields but not others, see Django's own documentation (in references) and the notes below for how to apply sensitive_post_parameters() manually to a particular codebase's RegistrationView subclass(es).

Workarounds

Users who cannot upgrade quickly can apply the django.views.decorators.debug.sensitive_post_parameters() decorator to their own registration views. The decorator should be applied on the dispatch() method of the appropriate RegistrationView class, using Django's method_decorator() helper. For example:

from django.utils.decorators import method_decorator
from django.views.decorators.debug import sensitive_post_parameters

from django_registration.views import RegistrationView

class MyRegistrationView(RegistrationView):
    """
    A RegistrationView subclass manually protected against sensitive information disclosure
    in error reports.

    """
    @method_decorator(sensitive_post_parameters())
    def dispatch(self, *args, **kwargs):
        return super().dispatch(*args, **kwargs)

References

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2021-21416

Credits