Use of hardcoded DB password Affecting django package, versions [,1.8.16) [1.9,1.9.11) [1.10,1.10.3)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
1.29% (86th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-40439
- published 1 Nov 2016
- disclosed 1 Nov 2016
- credit Marti Raudsepp
Introduced: 1 Nov 2016
CVE-2016-9013 Open this link in a new tabOverview
django
is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package used a hardcoded password for a temporary database user created when running tests with an Oracle database. This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb
option or if the user has an active session. This makes it easier for remote attackers to obtain access to the database.