Vulnerability Description
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | 1.10 |
| Canonical | Ubuntu Linux | 12.04 |
| Fedoraproject | Fedora | 24 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94069Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037159Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3115-1Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/Release NotesVendor Advisory
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94069Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037159Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3115-1Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/Release NotesVendor Advisory
FAQ
What is CVE-2016-9013?
CVE-2016-9013 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easi...
How severe is CVE-2016-9013?
CVE-2016-9013 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-9013?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Canonical Ubuntu Linux, Fedoraproject Fedora.