{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-01T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T09:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2016:0506", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"}, {"name": "1035152", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035152"}, {"name": "RHSA-2016:0504", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"}, {"name": "DSA-3544", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3544"}, {"name": "RHSA-2016:0502", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"}, {"name": "USN-2915-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2915-3"}, {"name": "83878", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/83878"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "USN-2915-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2915-2"}, {"name": "RHSA-2016:0505", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"}, {"name": "USN-2915-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2915-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2513", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2016:0506", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"}, {"name": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab", "refsource": "CONFIRM", "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"}, {"name": "1035152", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035152"}, {"name": "RHSA-2016:0504", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"}, {"name": "DSA-3544", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3544"}, {"name": "RHSA-2016:0502", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"}, {"name": "USN-2915-3", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2915-3"}, {"name": "83878", "refsource": "BID", "url": "http://www.securityfocus.com/bid/83878"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "USN-2915-2", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2915-2"}, {"name": "RHSA-2016:0505", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"}, {"name": "USN-2915-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2915-1"}, {"name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:32:20.440Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2016:0506", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"}, {"name": "1035152", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1035152"}, {"name": "RHSA-2016:0504", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"}, {"name": "DSA-3544", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3544"}, {"name": "RHSA-2016:0502", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"}, {"name": "USN-2915-3", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2915-3"}, {"name": "83878", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/83878"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "USN-2915-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2915-2"}, {"name": "RHSA-2016:0505", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"}, {"name": "USN-2915-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2915-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2513", "datePublished": "2016-04-08T15:00:00.000Z", "dateReserved": "2016-02-19T00:00:00.000Z", "dateUpdated": "2024-08-05T23:32:20.440Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*", "matchCriteriaId": "99A5BF6D-631B-4C8E-9868-579BD79100C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*", "matchCriteriaId": "29C40BAC-6DF3-4EA2-A65A-86462DDD8723", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "6B754401-8503-4553-853F-4F6BCD2D2FF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "019C26C7-EF1F-45BB-934E-521E2E64452E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests."}, {"lang": "es", "value": "El hasher de contrase\u00f1as en contrib/auth/hashers.py en Django en versiones anteriores a 1.8.10 y 1.9.x en versiones anteriores a 1.9.3 permite a atacantes remotos enumerar usuarios a trav\u00e9s de un ataque de sincronizaci\u00f3n que implica peticiones de login."}], "id": "CVE-2016-2513", "lastModified": "2026-05-06T22:30:45.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-08T15:59:07.230", "references": [{"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2016/dsa-3544"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/83878"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1035152"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2915-1"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2915-2"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2915-3"}, {"source": "cve@mitre.org", "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3544"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/83878"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1035152"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2915-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2915-2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2915-3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Django project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2016:0502", "cpe": "cpe:/a:redhat:openstack:5::el6", "package": "python-django-0:1.6.11-5.el6ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6", "release_date": "2016-03-24T00:00:00Z"}, {"advisory": "RHSA-2016:0506", "cpe": "cpe:/a:redhat:openstack:5::el7", "package": "python-django-0:1.6.11-5.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7", "release_date": "2016-03-24T00:00:00Z"}, {"advisory": "RHSA-2016:0505", "cpe": "cpe:/a:redhat:openstack:6::el7", "package": "python-django-0:1.6.11-5.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7", "release_date": "2016-03-24T00:00:00Z"}, {"advisory": "RHSA-2016:0504", "cpe": "cpe:/a:redhat:openstack:7::el7", "package": "python-django-0:1.8.11-1.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7", "release_date": "2016-03-24T00:00:00Z"}, {"advisory": "RHSA-2016:0503", "cpe": "cpe:/a:redhat:openstack-optools:7::el7", "package": "python-django-0:1.6.11-5.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7", "release_date": "2016-03-24T00:00:00Z"}], "bugzilla": {"description": "python-django: User enumeration through timing difference on password hasher work factor upgrade", "id": "1311438", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-385", "details": ["The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", "A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests."], "name": "CVE-2016-2513", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:1.2", "fix_state": "Will not fix", "package_name": "Django", "product_name": "Red Hat Ceph Storage 1.2"}, {"cpe": "cpe:/a:redhat:ceph_storage:1.3", "fix_state": "Will not fix", "package_name": "Django", "product_name": "Red Hat Ceph Storage 1.3"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack-optools:8", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 8 (Liberty) Operational Tools"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "Django", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2016-03-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-2513\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-2513\nhttps://www.djangoproject.com/weblog/2016/mar/01/security-releases/"], "threat_severity": "Moderate"}

{}