CVE-2020-4071
CVE-2020-4071 is a low-severity vulnerability in Django-basic-auth-ip-whitelist Project Django-basic-auth-ip-whitelist with a CVSS 3.x base score of 2.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-208.
Key facts
- Severity: Low (CVSS 3.x base score 2.2)
- CVSS v2: 2.1
- EPSS exploit prediction: 0% (28th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-208
- Affected product: Django-basic-auth-ip-whitelist Project Django-basic-auth-ip-whitelist
- Published:
- Last modified:
Description
In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings.
Frequently asked questions
- What is CVE-2020-4071?
- In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings.
- How severe is CVE-2020-4071?
- CVE-2020-4071 has a CVSS 3.x base score of 2.2, rated low severity. It is exploitable over physical access with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2020-4071 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (28th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-4071?
- CVE-2020-4071 affects Django-basic-auth-ip-whitelist Project Django-basic-auth-ip-whitelist. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-4071?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-4071 published?
- CVE-2020-4071 was published on 2020-06-24 and last updated on 2026-06-17.
References
- https://github.com/tm-kn/django-basic-auth-ip-whitelist/security/advisories/GHSA-m38j-pmg3-v5x5
- https://groups.google.com/forum/#%21msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ
Affected products (1)
- cpe:2.3:a:django-basic-auth-ip-whitelist_project:django-basic-auth-ip-whitelist:*:*:*:*:*:*:*:*
Other CWE-208 vulnerabilities
- CVE-2023-41313 — Critical (CVSS 9.8): The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. Users are recommended…
- CVE-2024-42512 — High (CVSS 8.6): Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass…
- CVE-2025-53940 — High (CVSS 8.5): Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central…
- CVE-2026-47784 — High (CVSS 8.1): In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because…
- CVE-2026-47783 — High (CVSS 8.1): In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a…
- CVE-2026-42602 — High (CVSS 8.1): azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass…