CVE-2016-9013
Publication date 1 November 2016
Last updated 25 August 2025
Ubuntu priority
Description
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | ||
| 16.04 LTS xenial |
Fixed 1.8.7-1ubuntu5.4
|
|
| 14.04 LTS trusty |
Fixed 1.6.1-2ubuntu0.16
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3115-1
- Django vulnerabilities
- 1 November 2016