CVE-2016-2513

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type

GIT

Repo

https://github.com/django/django

Events

Introduced

Last affected

c982190acf7bcfba5e78a7505a45774916865569

Introduced

Last affected

3df8ccf6fc3fa0ab2acf9a03da43fea87f8ff392

Introduced

Last affected

e70a309c428cfd4e600dc9fa0c7269b1e7a8efcd

Introduced

Last affected

c00335997744196738368f46c30ef2eeaa0ac849

Fixed

67b46ba7016da2d259c1ecc7d666d11f5e1cfaab

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.8.9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.2"
        }
    ]
}

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.3

1.4

1.7a2

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.8a1

1.8b1

1.8b2

1.8c1

1.9

1.9.1

1.9.10

1.9.11

1.9.12

1.9.13

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9a1

1.9b1

1.9rc1

1.9rc2

stable/1.*

stable/1.9.x

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2513.json"