CVE-2016-9013

EUVD-2016-0006
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
1.10
djangoprojectdjango
1.10.1
djangoprojectdjango
1.10.2
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
16.10
djangoprojectdjango
1.9
djangoprojectdjango
1.9.1
djangoprojectdjango
1.9.2
djangoprojectdjango
1.9.3
djangoprojectdjango
1.9.4
djangoprojectdjango
1.9.5
djangoprojectdjango
1.9.6
djangoprojectdjango
1.9.7
djangoprojectdjango
1.9.8
djangoprojectdjango
1.9.9
djangoprojectdjango
1.9.10
djangoprojectdjango
1.8
djangoprojectdjango
1.8.1
djangoprojectdjango
1.8.2
djangoprojectdjango
1.8.3
djangoprojectdjango
1.8.4
djangoprojectdjango
1.8.5
djangoprojectdjango
1.8.6
djangoprojectdjango
1.8.7
djangoprojectdjango
1.8.8
djangoprojectdjango
1.8.9
djangoprojectdjango
1.8.10
djangoprojectdjango
1.8.11
djangoprojectdjango
1.8.12
djangoprojectdjango
1.8.13
djangoprojectdjango
1.8.14
djangoprojectdjango
1.8.15
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
precise
Fixed 1.3.1-4ubuntu1.22
released
trusty
Fixed 1.6.1-2ubuntu0.16
released
xenial
Fixed 1.8.7-1ubuntu5.4
released
yakkety
Fixed 1.8.7-1ubuntu8.1
released
Common Weakness Enumeration
References
http://www.debian.org/security/2017/dsa-3835
http://www.securityfocus.com/bid/94069
http://www.securitytracker.com/id/1037159
http://www.ubuntu.com/usn/USN-3115-1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
http://www.debian.org/security/2017/dsa-3835
http://www.securityfocus.com/bid/94069
http://www.securitytracker.com/id/1037159
http://www.ubuntu.com/usn/USN-3115-1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/