CVE-2024-39329 is a timing attack vulnerability discovered in Django's authentication backend, specifically in the ModelBackend.authenticate() method within django.contrib.auth.backends. This vulnerability exists in Django versions 5.0 before 5.0.7 and 4.2 before 4.2.14. The flaw allows remote attackers to perform user enumeration by exploiting timing differences in login request responses when attempting to authenticate users who have unusable passwords. An unusable password in Django is a state where the password hash is set such that no password can authenticate successfully, often used for accounts that should not allow login. The authenticate() method's processing time varies depending on whether the username exists and whether the password is usable, enabling attackers to distinguish valid usernames from invalid ones by measuring response times. This side-channel attack does not require any authentication or user interaction, making it remotely exploitable over the network. The vulnerability is classified under CWE-208 (Information Exposure Through Timing Discrepancy). The CVSS v3.1 base score is 5.3, indicating medium severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning it is remotely exploitable with low attack complexity, no privileges or user interaction required, and impacts confidentiality only. No known exploits have been reported in the wild as of the publication date. The issue was addressed by the Django development team in versions 5.0.7 and 4.2.14 by equalizing the timing of authentication responses to prevent attackers from distinguishing valid usernames via timing analysis.

For European organizations, this vulnerability primarily threatens the confidentiality of user account information by enabling attackers to enumerate valid usernames remotely. User enumeration can facilitate subsequent attacks such as credential stuffing, phishing, or brute force attempts, increasing the overall risk to organizational security. Web applications built on affected Django versions that handle sensitive user data or provide access to critical services are particularly at risk. While the vulnerability does not directly compromise data integrity or availability, the exposure of valid usernames can aid attackers in crafting more effective attacks, potentially leading to account compromise or unauthorized access. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if user data is indirectly exposed. The lack of known exploits in the wild reduces immediate risk, but the ease of exploitation and the widespread use of Django in Europe necessitate prompt remediation to prevent exploitation.

The primary mitigation is to upgrade Django installations to version 5.0.7 or 4.2.14 or later, where the timing discrepancy has been fixed. Organizations should audit their web applications to identify any usage of affected Django versions and plan timely patching. In addition to upgrading, developers can implement application-level mitigations such as adding consistent response delays or using constant-time comparison functions to reduce timing side channels. Monitoring authentication logs for unusual login attempts or patterns indicative of user enumeration can help detect exploitation attempts. Employing web application firewalls (WAFs) with rules to detect and block rapid, repeated login attempts may also reduce risk. Finally, organizations should review password policies and consider disabling or carefully managing accounts with unusable passwords to minimize attack surface.