Use of Hard-coded Credentials

CVE-2016-9013

High

9.8/10

Summary

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. Branches prior to 1.8.x are unsupported and might be vulnerable as well.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-798 - Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

Release Note

Advisory Timeline

Published Dec 09, 2016

Use of Hard-coded Credentials

CVE-2016-9013

Summary

CWE-798 - Use of Hard-coded Credentials

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS