#VU1130 Information disclosure in Django - CVE-2016-9013


| Updated: 2016-11-02

Vulnerability identifier: #VU1130

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9013

CWE-ID: CWE-259

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description
The vulnerability allows a remote authenticated user to obtain potentially sensitive information on the target system.
The weakness exists due to use of hardcoded password that allows a remote attacker to connect to the database server.
Successful exploitation of the vulnerability results in disclosure of potentially sensitive information.

Mitigation
Update to 1.8.16, 1.9.11, 1.10.3.

Vulnerable software versions

Django: 1.8 - 1.10.3

External links
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora EPEL 7 update for python-django
Information disclosure in py-django (Alpine package)
Arch Linux update for python-django
Arch Linux update for python2-django
Arch Linux update for python-django
Arch Linux update for python2-django
Fedora 24 update for python-django
Fedora 25 update for python-django
Ubuntu update for Django