django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Ubuntu Security Notice 3559-1 - It was discovered that Django incorrectly handled certain requests. An attacker could possibly use this to access sensitive information.