CVE-2016-9013Hard-coded Credentials in Django

CWE-798Hard-coded Credentials13 documents8 sources
Severity
9.8CRITICALNVD
EPSS
1.8%
top 16.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Djangoproject DjangoCanonical Ubuntu LinuxFedoraproject Fedora
Timeline
PublishedDec 9
Latest updateMay 17

Description

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

PyPIdjangoproject/django1.10a11.10.3+2
NVDdjangoproject/django30 versions+29

Also affects: Fedora 24, 25, Ubuntu Linux 12.04, 14.04, 16.04, 16.10

🔴Vulnerability Details

5
OSV
Django user with hardcoded password created when running tests on Oracle2022-05-17
GHSA
Django user with hardcoded password created when running tests on Oracle2022-05-17
OSV
CVE-2016-9013: Django 12016-12-09
CVEList
CVE-2016-9013: Django 12016-12-09
OSV
python-django vulnerabilities2016-11-01

📋Vendor Advisories

3
Red Hat
python-django: user with hardcoded password created when running tests on Oracle2016-11-01
Ubuntu
Django vulnerabilities2016-11-01
Debian
CVE-2016-9013: python-django - Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a ...2016

💬Community

4
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]2016-11-01
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]2016-11-01
Bugzilla
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]2016-11-01
Bugzilla
CVE-2016-9013 python-django: user with hardcoded password created when running tests on Oracle2016-10-27
CVE-2016-9013 — Hard-coded Credentials in Django | cvebase