SB2016032408 - Timing attack in py-django (Alpine package)
Published: March 24, 2016
Security Bulletin ID
SB2016032408
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Timing attack (CVE-ID: CVE-2016-2513)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists in the password hasher in contrib/auth/hashers.py due to creating a timing difference between a login request for a user with a password encoded in an older number of iterations and login request for a nonexistent user. A remote attacker can enumerate users via a timing attack involving login requests.
Remediation
Install update from vendor's website.