Vulnerability-Lookup

CVE-2016-2513 (GCVE-0-2016-2513)

Vulnerability from cvelistv5 – Published: 2016-04-08 15:00 – Updated: 2024-08-05 23:32

Summary

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://rhn.redhat.com/errata/RHSA-2016-0506.html	vendor-advisoryx_refsource_REDHAT
	https://github.com/django/django/commit/67b46ba70…	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1035152	vdb-entryx_refsource_SECTRACK
	http://rhn.redhat.com/errata/RHSA-2016-0504.html	vendor-advisoryx_refsource_REDHAT
	http://www.debian.org/security/2016/dsa-3544	vendor-advisoryx_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-0502.html	vendor-advisoryx_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-3	vendor-advisoryx_refsource_UBUNTU
	http://www.securityfocus.com/bid/83878	vdb-entryx_refsource_BID
	http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2915-2	vendor-advisoryx_refsource_UBUNTU
	http://rhn.redhat.com/errata/RHSA-2016-0505.html	vendor-advisoryx_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-2915-1	vendor-advisoryx_refsource_UBUNTU
	https://www.djangoproject.com/weblog/2016/mar/01/…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:32:20.440Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0506",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
          },
          {
            "name": "1035152",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1035152"
          },
          {
            "name": "RHSA-2016:0504",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
          },
          {
            "name": "DSA-3544",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3544"
          },
          {
            "name": "RHSA-2016:0502",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
          },
          {
            "name": "USN-2915-3",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-3"
          },
          {
            "name": "83878",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/83878"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
          },
          {
            "name": "USN-2915-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-2"
          },
          {
            "name": "RHSA-2016:0505",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
          },
          {
            "name": "USN-2915-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2915-1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-03-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T09:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2016:0506",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
        },
        {
          "name": "1035152",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1035152"
        },
        {
          "name": "RHSA-2016:0504",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
        },
        {
          "name": "DSA-3544",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3544"
        },
        {
          "name": "RHSA-2016:0502",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
        },
        {
          "name": "USN-2915-3",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-3"
        },
        {
          "name": "83878",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/83878"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
        },
        {
          "name": "USN-2915-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-2"
        },
        {
          "name": "RHSA-2016:0505",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
        },
        {
          "name": "USN-2915-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2915-1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2513",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0506",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
            },
            {
              "name": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab",
              "refsource": "CONFIRM",
              "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
            },
            {
              "name": "1035152",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1035152"
            },
            {
              "name": "RHSA-2016:0504",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
            },
            {
              "name": "DSA-3544",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3544"
            },
            {
              "name": "RHSA-2016:0502",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
            },
            {
              "name": "USN-2915-3",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-3"
            },
            {
              "name": "83878",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/83878"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
            },
            {
              "name": "USN-2915-2",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-2"
            },
            {
              "name": "RHSA-2016:0505",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
            },
            {
              "name": "USN-2915-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2915-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-2513",
    "datePublished": "2016-04-08T15:00:00.000Z",
    "dateReserved": "2016-02-19T00:00:00.000Z",
    "dateUpdated": "2024-08-05T23:32:20.440Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

FKIE_CVE-2016-2513

Vulnerability from fkie_nvd - Published: 2016-04-08 15:59 - Updated: 2025-04-12 10:46

Severity ?

3.1 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Summary

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

References

URL	Tags
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-0502.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-0504.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-0505.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2016-0506.html
cve@mitre.org	http://www.debian.org/security/2016/dsa-3544
cve@mitre.org	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
cve@mitre.org	http://www.securityfocus.com/bid/83878
cve@mitre.org	http://www.securitytracker.com/id/1035152
cve@mitre.org	http://www.ubuntu.com/usn/USN-2915-1
cve@mitre.org	http://www.ubuntu.com/usn/USN-2915-2
cve@mitre.org	http://www.ubuntu.com/usn/USN-2915-3
cve@mitre.org	https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
cve@mitre.org	https://www.djangoproject.com/weblog/2016/mar/01/security-releases/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-0502.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-0504.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-0505.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-0506.html
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3544
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/83878
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1035152
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2915-1
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2915-2
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2915-3
af854a3a-2127-422b-91ae-364da2661108	https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
af854a3a-2127-422b-91ae-364da2661108	https://www.djangoproject.com/weblog/2016/mar/01/security-releases/	Vendor Advisory

Impacted products

Vendor	Product	Version
djangoproject	django	1.8.9
djangoproject	django	1.9
djangoproject	django	1.9.1
djangoproject	django	1.9.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "99A5BF6D-631B-4C8E-9868-579BD79100C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "29C40BAC-6DF3-4EA2-A65A-86462DDD8723",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B754401-8503-4553-853F-4F6BCD2D2FF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "019C26C7-EF1F-45BB-934E-521E2E64452E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
    },
    {
      "lang": "es",
      "value": "El hasher de contrase\u00f1as en contrib/auth/hashers.py en Django en versiones anteriores a 1.8.10 y 1.9.x en versiones anteriores a 1.9.3 permite a atacantes remotos enumerar usuarios a trav\u00e9s de un ataque de sincronizaci\u00f3n que implica peticiones de login."
    }
  ],
  "id": "CVE-2016-2513",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-04-08T15:59:07.230",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2016/dsa-3544"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/83878"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id/1035152"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-2915-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-2915-2"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-2915-3"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3544"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/83878"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1035152"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2915-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2915-2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2915-3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-FP6P-5XVW-M74F

Vulnerability from github – Published: 2022-05-17 01:09 – Updated: 2024-09-18 14:35

Summary

Django User Enumeration Vulnerability

Details

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Severity ?

3.1 (Low)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9"
            },
            {
              "fixed": "1.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-2513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T22:16:33Z",
    "nvd_published_at": "2016-04-08T15:59:00Z",
    "severity": "LOW"
  },
  "details": "The password hasher in `contrib/auth/hashers.py` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
  "id": "GHSA-fp6p-5xvw-m74f",
  "modified": "2024-09-18T14:35:47Z",
  "published": "2022-05-17T01:09:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/af7d09b0c5c6ab68e629fd9baf736f9dd203b18e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/f4e6e02f7713a6924d16540be279909ff4091eb6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-16.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20160322001143/http://www.securitytracker.com/id/1035152"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228001222/http://www.securityfocus.com/bid/83878"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3544"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2915-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2915-2"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2915-3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django User Enumeration Vulnerability"
}

GSD-2016-2513

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Aliases

CVE-2016-2513

Aliases

CVE-2016-2513

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-2513",
    "description": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
    "id": "GSD-2016-2513",
    "references": [
      "https://www.suse.com/security/cve/CVE-2016-2513.html",
      "https://www.debian.org/security/2016/dsa-3544",
      "https://access.redhat.com/errata/RHSA-2016:0506",
      "https://access.redhat.com/errata/RHSA-2016:0505",
      "https://access.redhat.com/errata/RHSA-2016:0504",
      "https://access.redhat.com/errata/RHSA-2016:0503",
      "https://access.redhat.com/errata/RHSA-2016:0502",
      "https://ubuntu.com/security/CVE-2016-2513",
      "https://advisories.mageia.org/CVE-2016-2513.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-2513"
      ],
      "details": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
      "id": "GSD-2016-2513",
      "modified": "2023-12-13T01:21:19.840365Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2016-2513",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "RHSA-2016:0506",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
          },
          {
            "name": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab",
            "refsource": "CONFIRM",
            "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
          },
          {
            "name": "1035152",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1035152"
          },
          {
            "name": "RHSA-2016:0504",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
          },
          {
            "name": "DSA-3544",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2016/dsa-3544"
          },
          {
            "name": "RHSA-2016:0502",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
          },
          {
            "name": "USN-2915-3",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2915-3"
          },
          {
            "name": "83878",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/83878"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
          },
          {
            "name": "USN-2915-2",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2915-2"
          },
          {
            "name": "RHSA-2016:0505",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
          },
          {
            "name": "USN-2915-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2915-1"
          },
          {
            "name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
            "refsource": "CONFIRM",
            "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.8.0a,\u003c1.8.10||\u003e=1.9.0a,\u003c1.9.3",
          "affected_versions": "All versions starting from 1.8.0a before 1.8.10, all versions starting from 1.9.0a before 1.9.3",
          "credit": "Sjoerd Job Postmus",
          "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2017-09-07",
          "description": "In each major version of Django since, the default number of iterations for the PBKDF2PasswordHasher and its subclasses has increased. This improves the security of the password as the speed of hardware increases, however, it also creates a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user (which runs the default hasher\u0027s default number of iterations since Django ). This only affects users who haven\u0027t logged in since the iterations were increased. The first time a user logs in after an iterations increase, their password is updated with the new iterations and there is no longer a timing difference.",
          "fixed_versions": [
            "1.8.10",
            "1.9.3"
          ],
          "identifier": "CVE-2016-2513",
          "identifiers": [
            "CVE-2016-2513"
          ],
          "package_slug": "pypi/Django",
          "pubdate": "2016-04-08",
          "solution": "Upgrade to latest or apply patches. See provided link.",
          "title": "User enumeration through timing difference on password hasher work factor upgrade",
          "urls": [
            "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
          ],
          "uuid": "4c46e7f4-58ca-4595-9ed8-29d136fddc91"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-2513"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
            },
            {
              "name": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
            },
            {
              "name": "RHSA-2016:0504",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
            },
            {
              "name": "83878",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/83878"
            },
            {
              "name": "USN-2915-2",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2915-2"
            },
            {
              "name": "USN-2915-3",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2915-3"
            },
            {
              "name": "DSA-3544",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2016/dsa-3544"
            },
            {
              "name": "RHSA-2016:0502",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
            },
            {
              "name": "RHSA-2016:0505",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
            },
            {
              "name": "RHSA-2016:0506",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
            },
            {
              "name": "USN-2915-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2915-1"
            },
            {
              "name": "1035152",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1035152"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2017-09-08T01:29Z",
      "publishedDate": "2016-04-08T15:59Z"
    }
  }
}

PYSEC-2016-16

Vulnerability from pysec - Published: 2016-04-08 15:59 - Updated: 2021-07-15 02:22

Details

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Impacted products

Name	purl
django	pkg:pypi/django

Aliases

CVE-2016-2513

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
            }
          ],
          "repo": "https://github.com/django/django",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.10"
            },
            {
              "introduced": "1.9"
            },
            {
              "fixed": "1.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.3",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4",
        "1.4.1",
        "1.4.10",
        "1.4.11",
        "1.4.12",
        "1.4.13",
        "1.4.14",
        "1.4.15",
        "1.4.16",
        "1.4.17",
        "1.4.18",
        "1.4.19",
        "1.4.2",
        "1.4.20",
        "1.4.21",
        "1.4.22",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5",
        "1.5.1",
        "1.5.10",
        "1.5.11",
        "1.5.12",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.5.8",
        "1.5.9",
        "1.6",
        "1.6.1",
        "1.6.10",
        "1.6.11",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7",
        "1.7.1",
        "1.7.10",
        "1.7.11",
        "1.7.2",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "1.7.8",
        "1.7.9",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7",
        "1.8.8",
        "1.8.9",
        "1.8a1",
        "1.8b1",
        "1.8b2",
        "1.8c1",
        "1.9",
        "1.9.1",
        "1.9.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2016-2513"
  ],
  "details": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
  "id": "PYSEC-2016-16",
  "modified": "2021-07-15T02:22:10.225115Z",
  "published": "2016-04-08T15:59:00Z",
  "references": [
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
    },
    {
      "type": "FIX",
      "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/83878"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2915-2"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2915-3"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2016/dsa-3544"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2915-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1035152"
    }
  ]
}

CNVD-2016-01467

Vulnerability from cnvd - Published: 2016-03-08

Title

Django安全绕过漏洞（CNVD-2016-01467）

Description

Django是Django软件基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 1.9.3之前版本和1.6版本至1.8版本中存在安全漏洞。攻击者可借助时间差异利用该漏洞绕过安全限制，枚举用户。

Severity

中

Patch Name

Django安全绕过漏洞（CNVD-2016-01467）的补丁

Patch Description

Django是Django软件基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 1.9.3之前版本和1.6版本至1.8版本中存在安全漏洞。攻击者可借助时间差异利用该漏洞绕过安全限制，枚举用户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.ubuntu.com/usn/usn-2915-1/

Reference

http://www.ubuntu.com/usn/usn-2915-1/

Impacted products

Name
['Django Django <1.9.3', 'Django Django 1.5-1.8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-2513"
    }
  },
  "description": "Django\u662fDjango\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8ePython\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\u8be5\u6846\u67b6\u5305\u62ec\u9762\u5411\u5bf9\u8c61\u7684\u6620\u5c04\u5668\u3001\u89c6\u56fe\u7cfb\u7edf\u3001\u6a21\u677f\u7cfb\u7edf\u7b49\u3002\r\n\r\nDjango 1.9.3\u4e4b\u524d\u7248\u672c\u548c1.6\u7248\u672c\u81f31.8\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u65f6\u95f4\u5dee\u5f02\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u679a\u4e3e\u7528\u6237\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www.ubuntu.com/usn/usn-2915-1/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-01467",
  "openTime": "2016-03-08",
  "patchDescription": "Django\u662fDjango\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8ePython\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002\u8be5\u6846\u67b6\u5305\u62ec\u9762\u5411\u5bf9\u8c61\u7684\u6620\u5c04\u5668\u3001\u89c6\u56fe\u7cfb\u7edf\u3001\u6a21\u677f\u7cfb\u7edf\u7b49\u3002\r\n\r\nDjango 1.9.3\u4e4b\u524d\u7248\u672c\u548c1.6\u7248\u672c\u81f31.8\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u65f6\u95f4\u5dee\u5f02\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u679a\u4e3e\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Django\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-01467\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Django Django \u003c1.9.3",
      "Django Django 1.5-1.8"
    ]
  },
  "referenceLink": "http://www.ubuntu.com/usn/usn-2915-1/",
  "serverity": "\u4e2d",
  "submitTime": "2016-03-04",
  "title": "Django\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-01467\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-2513 (GCVE-0-2016-2513)

FKIE_CVE-2016-2513

GHSA-FP6P-5XVW-M74F

GSD-2016-2513

PYSEC-2016-16

CNVD-2016-01467

Tags

Sightings

Nomenclature