CVE-2016-9013
CRITICAL severity · CVSS 9.8 · Hard-coded credentials
9.8CVSS CRITICAL
Summary
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)1%
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/Advisory
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94069Advisory
- http://www.securitytracker.com/id/1037159Advisory
- http://www.ubuntu.com/usn/USN-3115-1Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
- http://www.debian.org/security/2017/dsa-3835