Main Vulnerability Database SB2013112632

SB2013112632 - Improper Authentication in py-django (Alpine package)

Published: November 26, 2013

Security Bulletin ID SB2013112632

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Partial DoS

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authentication (CVE-ID: CVE-2013-1443)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=e286e9f4e90f517fd2971a096b4128c4d6100ba0
https://git.alpinelinux.org/aports/commit/?id=3b05eee60ed17ee1c73fcff15e5fd3762df49b49
https://git.alpinelinux.org/aports/commit/?id=4dd9dc6af38a7af46c3ab44f62fa543362d35651