Homepage
About Snyk

Use of Hard-coded Credentials Affecting py3-django package, versions <1.8.16-r0

Severity

 Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    1.29% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-ALPINE320-PY3DJANGO-7013861
  • published 23 May 2024
  • disclosed 9 Dec 2016
Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2016

CVE-2016-9013 Open this link in a new tab
CWE-798 Open this link in a new tab

How to fix?

Upgrade Alpine:3.20 py3-django to version 1.8.16-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-django package and not the py3-django package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

References