CVE-2016-9013
python-django - security update
9.8
CRITICAL
CVSS 3.1
EPSS 1.2%
Description
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
How to fix CVE-2016-9013
To remediate CVE-2016-9013, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.16-r0 or later
- —upgrade to 1.8.16-r0 or later
- —upgrade to 1:1.10.3-1 or later
- —upgrade to 1.7.11-1+deb8u2 or later
- —upgrade to 1.10.3 or later
- —upgrade to 1.8.16 or later
Is CVE-2016-9013 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1.8.16-r0
- from 0, < 1.8.16-r0
- from 0, < 1:1.10.3-1
- from 0, < 1.7.11-1+deb8u2
- >= 1.10a1, < 1.10.3
- >= 1.8, < 1.8.16, >= 1.9, < 1.9.11, >= 1.10, < 1.10.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |