First published: Fri Apr 08 2016(Updated: )
The password hasher in `contrib/auth/hashers.py` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Djangoproject Django | =1.8.9 | |
Djangoproject Django | =1.9 | |
Djangoproject Django | =1.9.1 | |
Djangoproject Django | =1.9.2 | |
pip/django | >=1.9<1.9.3 | 1.9.3 |
pip/django | <1.8.10 | 1.8.10 |
=1.8.9 | ||
=1.9 | ||
=1.9.1 | ||
=1.9.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-2513 has a medium severity level due to the potential for user enumeration through timing attacks.
You can fix CVE-2016-2513 by upgrading to Django version 1.8.10 or 1.9.3 or later.
CVE-2016-2513 affects Django versions 1.8.9 and any 1.9.x version prior to 1.9.3.
Yes, CVE-2016-2513 can be exploited remotely, allowing attackers to enumerate users.
CVE-2016-2513 is associated with a timing attack that can lead to user enumeration.