CVE-2016-2513
published 2016-04-08CVE-2016-2513: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack…
PriorityP419low3.1CVSS 3.0
AVNACHPRNUIRSUCLINAN
EPSS
3.32%
87.1th percentile
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.9.4-1 (bookworm) | python-django 1.9.4-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.8.10 | 1.8.10 |
| djangoproject | django | >= 1.9 < 1.9.3 | 1.9.3 |
CVSS provenance
nvdv3.03.1LOWCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
osv7.4HIGH
vendor_ubuntu7.4HIGH
vendor_debian3.1LOW
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django User Enumeration Vulnerability
osv·2022-05-17
CVE-2016-2513 [LOW] Django User Enumeration Vulnerability
Django User Enumeration Vulnerability
The password hasher in `contrib/auth/hashers.py` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
GHSA
Django User Enumeration Vulnerability
ghsa·2022-05-17
CVE-2016-2513 [LOW] CWE-200 Django User Enumeration Vulnerability
Django User Enumeration Vulnerability
The password hasher in `contrib/auth/hashers.py` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
OSV
CVE-2016-2513: The password hasher in contrib/auth/hashers
osv·2016-04-08·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513: The password hasher in contrib/auth/hashers
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
OSV
python-django regression
osv·2016-03-07·CVSS 7.4
CVE-2016-2512 [HIGH] python-django regression
python-django regression
USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem by applying the complete upstream regression fix.
Original advisory details:
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
OSV
python-django vulnerabilities
osv·2016-03-01·CVSS 7.4
CVE-2016-2512 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Ubuntu
Django regression
vendor_ubuntu·2016-03-07·CVSS 7.4
CVE-2016-2512 [HIGH] Django regression
Title: Django regression
Summary: USN-2915-1 introduced a regression in Django.
USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem by applying the complete upstream regression fix.
Original advisory details:
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Instructions: In
Ubuntu
Django vulnerabilities
vendor_ubuntu·2016-03-01·CVSS 7.4
CVE-2016-2512 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: User enumeration through timing difference on password hasher work factor upgrade
vendor_redhat·2016-03-01·CVSS 3.1
CVE-2016-2513 [LOW] CWE-385 python-django: User enumeration through timing difference on password hasher work factor upgrade
python-django: User enumeration through timing difference on password hasher work factor upgrade
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.
Package: Django (Red Hat Ceph Storage 1.2) - Will not fix
Package: Django (Red Hat Ceph Storage 1.3) - Will not fix
Package: python-django (Red Hat OpenStack Platform 8 (Liberty)) - Not affected
Package: python-
Debian
CVE-2016-2513: python-django - The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x...
vendor_debian·2016·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513: python-django - The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x...
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Scope: local
bookworm: resolved (fixed in 1.9.4-1)
bullseye: resolved (fixed in 1.9.4-1)
forky: resolved (fixed in 1.9.4-1)
sid: resolved (fixed in 1.9.4-1)
trixie: resolved (fixed in 1.9.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2513 python-django15: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
bugzilla·2016-03-04·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513 python-django15: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
CVE-2016-2513 python-django15: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit me
Bugzilla
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [fedora-all]
bugzilla·2016-03-04·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [fedora-all]
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-7]
bugzilla·2016-03-04·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-7]
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug auto
Bugzilla
CVE-2016-2513 django14: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
bugzilla·2016-03-04·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513 django14: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
CVE-2016-2513 django14: python-django: User enumeration through timing difference on password hasher work factor upgrade [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade
bugzilla·2016-02-24·CVSS 3.1
CVE-2016-2513 [LOW] CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade
CVE-2016-2513 python-django: User enumeration through timing difference on password hasher work factor upgrade
A timing difference between login requests of nonexistent users and users who haven't logged in for a certain time was found.
In each major version of Django since 1.6, the default number of iterations for the ``PBKDF2PasswordHasher`` and its subclasses has increased. Passwords of user who haven't logged in since the iterations were increased, are encoded in an older number of iterations, which creates the timing difference between login requests. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference.
However, if there are different password hashes in the database (such as SHA1 ha
http://rhn.redhat.com/errata/RHSA-2016-0502.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0504.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0505.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0506.htmlhttp://www.debian.org/security/2016/dsa-3544http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/83878http://www.securitytracker.com/id/1035152http://www.ubuntu.com/usn/USN-2915-1http://www.ubuntu.com/usn/USN-2915-2http://www.ubuntu.com/usn/USN-2915-3https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaabhttps://www.djangoproject.com/weblog/2016/mar/01/security-releases/http://rhn.redhat.com/errata/RHSA-2016-0502.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0504.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0505.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0506.htmlhttp://www.debian.org/security/2016/dsa-3544http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/83878http://www.securitytracker.com/id/1035152http://www.ubuntu.com/usn/USN-2915-1http://www.ubuntu.com/usn/USN-2915-2http://www.ubuntu.com/usn/USN-2915-3https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaabhttps://www.djangoproject.com/weblog/2016/mar/01/security-releases/
2016-04-08
Published