{"id":"PYSEC-2013-18","details":"The authentication framework (django.contrib.auth) in Django 1.4.x before 1.4.8, 1.5.x before 1.5.4, and 1.6.x before 1.6 beta 4 allows remote attackers to cause a denial of service (CPU consumption) via a long password which is then hashed.","aliases":["CVE-2013-1443","GHSA-4c42-4rxm-x6qf"],"modified":"2023-11-01T05:44:25.323256Z","published":"2013-09-23T20:55:00Z","references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2013/dsa-2758"},{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2013/sep/15/security/"},{"type":"WEB","url":"http://python.6.x6.nabble.com/Set-a-reasonable-upper-bound-on-password-length-td5032218.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2013-10/msg00015.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2013-11/msg00035.html"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.4"},{"fixed":"1.4.8"},{"introduced":"1.5"},{"fixed":"1.5.4"}]}],"versions":["1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.5","1.5.1","1.5.2","1.5.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2013-18.yaml"}}],"schema_version":"1.7.3"}