DEBIAN-CVE-2025-13473

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-13473
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13473.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-13473
Upstream
Downstream
Published
2026-02-03T15:16:11.593Z
Modified
2026-03-11T07:37:44.093186Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

References

Affected packages

Debian:11 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.28-1~deb11u12

Affected versions

2:2.*
2:2.2.24-1
2:2.2.25-1~deb11u1
2:2.2.26-1~deb11u1
2:2.2.28-1~deb11u1
2:2.2.28-1~deb11u2
2:2.2.28-1~deb11u3
2:2.2.28-1~deb11u4
2:2.2.28-1~deb11u5
2:2.2.28-1~deb11u6
2:2.2.28-1~deb11u7
2:2.2.28-1~deb11u8
2:2.2.28-1~deb11u9
2:2.2.28-1~deb11u10
2:2.2.28-1~deb11u11

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13473.json"

Debian:12 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3:3.2.25-0+deb12u2

Affected versions

3:3.*
3:3.2.19-1
3:3.2.19-1+deb12u1~bpo11+1
3:3.2.19-1+deb12u1
3:3.2.19-1+deb12u2
3:3.2.20-1
3:3.2.20-1.1
3:3.2.21-1
3:3.2.25-0+deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13473.json"

Debian:13 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3:4.2.28-0+deb13u1

Affected versions

3:4.*
3:4.2.23-1
3:4.2.24-1
3:4.2.25-1
3:4.2.25-2
3:4.2.26-1
3:4.2.27-0+deb13u1
3:4.2.27-1
3:4.2.27-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13473.json"

Debian:14 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3:4.2.28-1

Affected versions

3:4.*
3:4.2.23-1
3:4.2.24-1
3:4.2.25-1
3:4.2.25-2
3:4.2.26-1
3:4.2.27-1
3:4.2.27-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13473.json"