7.5
CVSSv2

CVE-2016-9013

Published: 09/12/2016 Updated: 04/11/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Django 1.8.x prior to 1.8.16, 1.9.x prior to 1.9.11, and 1.10.x prior to 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote malicious users to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

Vulnerable Product Search on Vulmon Subscribe to Product

djangoproject django 1.10

djangoproject django 1.10.1

djangoproject django 1.10.2

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 16.04

canonical ubuntu linux 16.10

djangoproject django 1.9

djangoproject django 1.9.1

djangoproject django 1.9.2

djangoproject django 1.9.3

djangoproject django 1.9.4

djangoproject django 1.9.5

djangoproject django 1.9.6

djangoproject django 1.9.7

djangoproject django 1.9.8

djangoproject django 1.9.9

djangoproject django 1.9.10

djangoproject django 1.8

djangoproject django 1.8.1

djangoproject django 1.8.2

djangoproject django 1.8.3

djangoproject django 1.8.4

djangoproject django 1.8.5

djangoproject django 1.8.6

djangoproject django 1.8.7

djangoproject django 1.8.8

djangoproject django 1.8.9

djangoproject django 1.8.10

djangoproject django 1.8.11

djangoproject django 1.8.12

djangoproject django 1.8.13

djangoproject django 1.8.14

djangoproject django 1.8.15

fedoraproject fedora 24

fedoraproject fedora 25

Vendor Advisories

Several security issues were fixed in Django ...
Django 18x before 1816, 19x before 1911, and 110x before 1103 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dic ...
When running tests with an Oracle database, Django creates a temporary database user In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used This could allow an attacker with network access to the database server to connect This user is usually dropped after the test suite ...
Several vulnerabilities were discovered in Django, a high-level Python web development framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database CVE-2016-9014 Aymeric Au ...
Arch Linux Security Advisory ASA-201611-15 ========================================== Severity: High Date : 2016-11-16 CVE-ID : CVE-2016-9013 CVE-2016-9014 Package : python-django Type : multiple issues Remote : Yes Link : wikiarchlinuxorg/indexphp/CVE Summary ======= The package python-django before version 1103-1 is vul ...
Arch Linux Security Advisory ASA-201611-14 ========================================== Severity: High Date : 2016-11-16 CVE-ID : CVE-2016-9013 CVE-2016-9014 Package : python2-django Type : multiple issues Remote : Yes Link : wikiarchlinuxorg/indexphp/CVE Summary ======= The package python2-django before version 1103-1 is v ...
Debian Bug report logs - #842856 python-django: CVE-2016-9013 CVE-2016-9014 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 1 Nov 2016 19:39:02 UTC Severity: impo ...
Debian Bug report logs - #859516 python-django: CVE-2017-7234: Open redirect vulnerability in djangoviewsstaticserve() Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: ...
Debian Bug report logs - #859515 python-django: CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@deb ...
Oracle Solaris Third Party Bulletin - July 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical P ...