CVE-2016-9013
CRITICALDjango <1.8.16, 1.9.x <1.9.11, 1.10.x <1.10.3 - Info Disclosure
Title source: llmDescription
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
References (7)
Core 7
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3835
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3115-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94069
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037159
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
Scores
CVSS v3
9.8
EPSS
0.0514
EPSS Percentile
91.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (37)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
16.10
djangoproject/django
1.10
djangoproject/django
1.10.1
djangoproject/django
1.10.2
djangoproject/django
1.9
djangoproject/django
1.9.1
djangoproject/django
1.9.2
... and 27 more
Published
Dec 09, 2016
Tracked Since
Feb 18, 2026