CVE-2025-13473

Опубликовано: 03 фев. 2026

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Ссылки

https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory
Patch
https://groups.google.com/g/django-announce
Release Notes
https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 4.2 (включая) до 4.2.28 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 5.2 (включая) до 5.2.11 (исключая)

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Версия от 6.0 (включая) до 6.0.2 (исключая)

EPSS

Процентиль: 5%

0.00022

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-208

Связанные уязвимости

CVE-2025-13473

CVSS3: 5.3

ubuntu

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

CVE-2025-13473

CVSS3: 5.3

debian

4 дня назад

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4. ...

GHSA-2mcm-79hx-8fxw

github

4 дня назад

Django has Observable Timing Discrepancy

EPSS

Процентиль: 5%

0.00022

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-208