How severe is CVE-2020-11037?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.7 out of 10.

What type of vulnerability is CVE-2020-11037?

This is classified as CWE-208, which is a common weakness in software security.

CVE-2020-11037 - MEDIUM Severity | CVSS 4.7

Vulnerability Description

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.

Related Vulnerabilities

CVE-2020-35165

MEDIUM

CVSS:4.7(Medium)

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.6, contain an Observable Timing Discrepancy Vulnerability.

CWE-2082020

CVE-2021-26318

MEDIUM

CVSS:4.7(Medium)

A timing and power-based side channel attack leveraging the x86 PREFETCH instructions on some AMD CPUs could potentially result in leaked kernel address space information.

CWE-2082021

CVE-2023-25000

MEDIUM

CVSS:4.7(Medium)

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large n...

CWE-2082023

CVE-2014-125055

MEDIUM

CVSS:5.3(Medium)

A vulnerability, which was classified as problematic, was found in agnivade easy-scrypt. Affected is the function VerifyPassphrase of the file scrypt.go. The manipulation leads to observable timing di...

CWE-2082014

CVE-2014-125056

MEDIUM

CVSS:5.3(Medium)

A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to obser...

CWE-2082014

CVE-2016-15015

MEDIUM

CVSS:5.3(Medium)

A vulnerability, which was classified as problematic, was found in viafintech Barzahlen Payment Module PHP SDK up to 2.0.0. Affected is the function verify of the file src/Webhook.php. The manipulatio...

CWE-2082016