[SNYK] - Weak Password Recovery Mechanism

[lbeaufort]

Issue may be related: #3396
Weak Password Recovery Mechanism

Vulnerable module: Django
Introduced through: django@1.11.23, wagtail@2.2.1 and others
Exploit maturity: No known exploit
Fixed in: 1.11.27, 2.2.9, 3.0.1
Remediation: Pin django to version 1.11.27 or 2.2.9 or 3.0.1

Detailed paths and remediation
Introduced through: project@0.0.0 › django@1.11.23
Remediation: Upgrade django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › wagtail@2.2.1 › Django@1.11.23
Remediation: Pin Django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › django-storages@1.7.1 › Django@1.11.23
Remediation: Pin Django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › django-jinja@2.4.1 › django@1.11.23
Remediation: Pin django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › cg-django-uaa@1.3.0 › django@1.11.23
Remediation: Pin django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › wagtail@2.2.1 › django-treebeard@4.3 › Django@1.11.23
Remediation: Pin Django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › wagtail@2.2.1 › django-taggit@0.24.0 › Django@1.11.23
Remediation: Pin Django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › wagtail@2.2.1 › djangorestframework@3.11.0 › django@1.11.23
Remediation: Pin django to version 1.11.27 or 2.2.9 or 3.0.1
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@2.3 › django-appconf@1.0.3 › django@1.11.23

Overview
django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Weak Password Recovery Mechanism. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account.

[patphongs]

This may not effect us since we use the cloud.gov authentication system which redirects from wagtail's normal login processes to cloud.gov. See this PR for reference: #889. Need to investigate whether this can be bypassed as a vulnerability, if not, this is probably not a vulnerability.

[patphongs]

After consulting with the team, this package does not cause a significant external security vulnerability since our Wagtail users use a different authentication system. We plan to patch this package when we upgrade our django and wagtail versions. See issue #3105.

[pkfec]

Wagtail is updated to LTS v2.7 and Django is updated to LTS v2.2.10 in PR #3563.
This PR #3563 is merged. Closing this issue.