Alpine: multiple py3-django packages: security update to 1.8.16-r0

critical Tenable Self-Hosted Container Security Plugin ID 406652

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a
temporary database user created when running tests with an Oracle database, which makes it easier for
remote attackers to obtain access to the database server by leveraging failure to manually specify a
password in the database settings TEST dictionary. (CVE-2016-9013)

- Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is
True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP
Host header against settings.ALLOWED_HOSTS. (CVE-2016-9014)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-9013

https://security.alpinelinux.org/vuln/CVE-2016-9014

Plugin Details

Severity: Critical

ID: 406652

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-9013

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/1/2016

Reference Information

CVE: CVE-2016-9013, CVE-2016-9014

BID: 94068, 94069