CVE-2013-1443
published 2013-09-23CVE-2013-1443: The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to…
PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.66%
83.8th percentile
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.5.4-1 (bookworm) | python-django 1.5.4-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.4 < 1.4.8 | 1.4.8 |
| djangoproject | django | >= 1.5 < 1.5.4 | 1.5.4 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Denial of Service Vulnerability in the authentication framework
osv·2022-05-17
CVE-2013-1443 [HIGH] Django Denial of Service Vulnerability in the authentication framework
Django Denial of Service Vulnerability in the authentication framework
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
GHSA
Django Denial of Service Vulnerability in the authentication framework
ghsa·2022-05-17
CVE-2013-1443 [HIGH] CWE-400 Django Denial of Service Vulnerability in the authentication framework
Django Denial of Service Vulnerability in the authentication framework
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
OSV
CVE-2013-1443: The authentication framework (django
osv·2013-09-23·CVSS 5.0
CVE-2013-1443 [MEDIUM] CVE-2013-1443: The authentication framework (django
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2013-09-24·CVSS 5.0
CVE-2013-1443 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled large passwords. A remote
attacker could use this issue to consume resources, resulting in a denial
of service. (CVE-2013-1443)
It was discovered that Django incorrectly handled ssi templates. An
attacker could use this issue to read arbitrary files. (CVE-2013-4315)
It was discovered that the Django is_safe_url utility function did not
restrict redirects to certain schemes. An attacker could possibly use this
issue to perform a cross-site scripting attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: DoS via large passwords
vendor_redhat·2013-09-15·CVSS 5.0
CVE-2013-1443 [MEDIUM] python-django: DoS via large passwords
python-django: DoS via large passwords
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
Package: Django14 (Red Hat OpenStack Platform 3) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Will not fix
Debian
CVE-2013-1443: python-django - The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8,...
vendor_debian·2013·CVSS 5.0
CVE-2013-1443 [MEDIUM] CVE-2013-1443: python-django - The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8,...
The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.
Scope: local
bookworm: resolved (fixed in 1.5.4-1)
bullseye: resolved (fixed in 1.5.4-1)
forky: resolved (fixed in 1.5.4-1)
sid: resolved (fixed in 1.5.4-1)
trixie: resolved (fixed in 1.5.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-1443 Django14: python-django: DoS via large passwords [epel-6]
bugzilla·2013-09-16·CVSS 5.0
CVE-2013-1443 [MEDIUM] CVE-2013-1443 Django14: python-django: DoS via large passwords [epel-6]
CVE-2013-1443 Django14: python-django: DoS via large passwords [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Djan
Bugzilla
CVE-2013-1443 python-django: DoS via large passwords
bugzilla·2013-09-16·CVSS 5.0
CVE-2013-1443 [MEDIUM] CVE-2013-1443 python-django: DoS via large passwords
CVE-2013-1443 python-django: DoS via large passwords
It was found that python-django, a high level Python web framework, was vulnerable to a DoS attack via large passwords, where an attacker could send a large password to the machine, as there wasn't any limit imposed on the length of passwords, a large password could use all the machine's available resources for the hash computation, thus making the machine slow and unresponsive.
The issue has been known to be fixed in latest updates for python-django 1.4.8 and 1.5.4.
References:
https://www.djangoproject.com/weblog/2013/sep/15/security/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723043
Discussion:
Created Django14 tracking bugs for this issue:
Affects: epel-6 [bug 1008282]
---
Created python-django tracking bugs for this i
Bugzilla
CVE-2013-1443 python-django: DoS via large passwords [fedora-all]
bugzilla·2013-09-16·CVSS 5.0
CVE-2013-1443 [MEDIUM] CVE-2013-1443 python-django: DoS via large passwords [fedora-all]
CVE-2013-1443 python-django: DoS via large passwords [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multipl
http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-11/msg00035.htmlhttp://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.htmlhttp://www.debian.org/security/2013/dsa-2758https://www.djangoproject.com/weblog/2013/sep/15/security/http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-11/msg00035.htmlhttp://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.htmlhttp://www.debian.org/security/2013/dsa-2758https://www.djangoproject.com/weblog/2013/sep/15/security/
2013-09-23
Published