CVE-2016-2513

Опубликовано: 01 мар. 2016

Источник: redhat

CVSS2: 4.3

EPSS Низкий

Описание

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Ceph Storage 1.2	Django	Will not fix
Red Hat Ceph Storage 1.3	Django	Will not fix
Red Hat OpenStack Platform 8 (Liberty)	python-django	Not affected
Red Hat OpenStack Platform 8 (Liberty) Operational Tools	python-django	Not affected
Red Hat Subscription Asset Manager	Django	Affected
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6	python-django	Fixed	RHSA-2016:0502	24.03.2016
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7	python-django	Fixed	RHSA-2016:0506	24.03.2016
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7	python-django	Fixed	RHSA-2016:0505	24.03.2016
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7	python-django	Fixed	RHSA-2016:0504	24.03.2016
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7	python-django	Fixed	RHSA-2016:0503	24.03.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-385

https://bugzilla.redhat.com/show_bug.cgi?id=1311438python-django: User enumeration through timing difference on password hasher work factor upgrade

EPSS

Процентиль: 73%

0.00799

Низкий

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2016-2513

CVSS3: 3.1

ubuntu

около 9 лет назад

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

CVE-2016-2513

CVSS3: 3.1

nvd

около 9 лет назад

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

CVE-2016-2513

CVSS3: 3.1

debian

около 9 лет назад

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 ...

GHSA-fp6p-5xvw-m74f

CVSS3: 3.1

github

около 3 лет назад

Django User Enumeration Vulnerability

openSUSE-SU-2018:0826-1

suse-cvrf

около 7 лет назад

Security update for python-Django

EPSS

Процентиль: 73%

0.00799

Низкий

4.3 Medium

CVSS2