CVE-2016-9013
published 2016-12-09CVE-2016-9013: Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests…
PriorityP358critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
5.14%
91.4th percentile
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1:1.10.3-1 (bookworm) | python-django 1:1.10.3-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django user with hardcoded password created when running tests on Oracle
osv·2022-05-17
CVE-2016-9013 [CRITICAL] Django user with hardcoded password created when running tests on Oracle
Django user with hardcoded password created when running tests on Oracle
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
GHSA
Django user with hardcoded password created when running tests on Oracle
ghsa·2022-05-17
CVE-2016-9013 [CRITICAL] CWE-798 Django user with hardcoded password created when running tests on Oracle
Django user with hardcoded password created when running tests on Oracle
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
OSV
CVE-2016-9013: Django 1
osv·2016-12-09·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013: Django 1
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
OSV
python-django vulnerabilities
osv·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] python-django vulnerabilities
python-django vulnerabilities
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
Red Hat
python-django: user with hardcoded password created when running tests on Oracle
vendor_redhat·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CWE-798 python-django: user with hardcoded password created when running tests on Oracle
python-django: user with hardcoded password created when running tests on Oracle
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Package: Django (Red Hat Ceph Storage 1.3) - Not affected
Package: python-django (Red Hat Ceph Storage 2) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: python-django (Red Hat Enterprise
Ubuntu
Django vulnerabilities
vendor_ubuntu·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2016-9013: python-django - Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a ...
vendor_debian·2016·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013: python-django - Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a ...
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Scope: local
bookworm: resolved (fixed in 1:1.10.3-1)
bullseye: resolved (fixed in 1:1.10.3-1)
forky: resolved (fixed in 1:1.10.3-1)
sid: resolved (fixed in 1:1.10.3-1)
trixie: resolved (fixed in 1:1.10.3-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
Bugzilla
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use
Bugzilla
CVE-2016-9013 python-django: user with hardcoded password created when running tests on Oracle
bugzilla·2016-10-27·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 python-django: user with hardcoded password created when running tests on Oracle
CVE-2016-9013 python-django: user with hardcoded password created when running tests on Oracle
The following flaw was reported in Django:
When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings 'TEST' dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.
This user is usually dropped after the test suite completes, but not when using the 'manage.py test --keepdb' option or if the user has an active session (such as an attacker's connection).
A randomly generated password is now used for each test run.
Discussion:
Acknowledgments:
Name: the Django project
---
Created attachment 1214631
oracle-1.10.x.d
http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/94069http://www.securitytracker.com/id/1037159http://www.ubuntu.com/usn/USN-3115-1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/https://www.djangoproject.com/weblog/2016/nov/01/security-releases/http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/94069http://www.securitytracker.com/id/1037159http://www.ubuntu.com/usn/USN-3115-1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
2016-12-09
Published