CVE-2016-2513
python-django: User enumeration through timing difference on password hasher work factor upgrade
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
El hasher de contraseñas en contrib/auth/hashers.py en Django en versiones anteriores a 1.8.10 y 1.9.x en versiones anteriores a 1.9.3 permite a atacantes remotos enumerar usuarios a través de un ataque de sincronización que implica peticiones de login.
A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.
USN-2915-1 fixed vulnerabilities in Django. The upstream fix for CVE-2016-2512 introduced a regression for certain applications. This update fixes the problem by applying the complete upstream regression fix. Mark Striemer discovered that Django incorrectly handled user-supplied redirect URLs containing basic authentication credentials. A remote attacker could possibly use this issue to perform a cross-site scripting attack or a malicious redirect. Sjoerd Job Postmus discovered that Django incorrectly handled timing when doing password hashing operations. A remote attacker could possibly use this issue to perform user enumeration. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-02-19 CVE Reserved
- 2016-03-03 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-385: Covert Timing Channel
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/83878 | Vdb Entry | |
| http://www.securitytracker.com/id/1035152 | Vdb Entry | |
| https://github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-0502.html | 2017-09-08 | |
| http://rhn.redhat.com/errata/RHSA-2016-0504.html | 2017-09-08 | |
| http://rhn.redhat.com/errata/RHSA-2016-0505.html | 2017-09-08 | |
| http://rhn.redhat.com/errata/RHSA-2016-0506.html | 2017-09-08 | |
| http://www.debian.org/security/2016/dsa-3544 | 2017-09-08 | |
| http://www.ubuntu.com/usn/USN-2915-1 | 2017-09-08 | |
| http://www.ubuntu.com/usn/USN-2915-2 | 2017-09-08 | |
| http://www.ubuntu.com/usn/USN-2915-3 | 2017-09-08 | |
| https://www.djangoproject.com/weblog/2016/mar/01/security-releases | 2017-09-08 | |
| https://access.redhat.com/security/cve/CVE-2016-2513 | 2016-03-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1311438 | 2016-03-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.8.9 Search vendor "Djangoproject" for product "Django" and version "1.8.9" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.9 Search vendor "Djangoproject" for product "Django" and version "1.9" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.9.1 Search vendor "Djangoproject" for product "Django" and version "1.9.1" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.9.2 Search vendor "Djangoproject" for product "Django" and version "1.9.2" | - |
Affected
| ||||||