CVE-2020-4071

CVE-2020-4071 is a low-severity vulnerability in Django-basic-auth-ip-whitelist Project Django-basic-auth-ip-whitelist with a CVSS 3.x base score of 2.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.

Key facts

Description

In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings.

Frequently asked questions

What is CVE-2020-4071?
In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings.
How severe is CVE-2020-4071?
CVE-2020-4071 has a CVSS 3.x base score of 2.2, rated low severity. It is exploitable over physical access with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2020-4071 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-4071?
CVE-2020-4071 affects Django-basic-auth-ip-whitelist Project Django-basic-auth-ip-whitelist. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2020-4071?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2020-4071 published?
CVE-2020-4071 was published on 2020-06-24 and last updated on 2026-06-17.

References

Affected products (1)

Other CWE-208 vulnerabilities

Browse all CWE-208 vulnerabilities →