{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of \"low\" according to the Django security policy.", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13473" }, { "summary":"CVE-2025-13473 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2025/csaf-openeuler-cve-2025-13473.json" }, { "summary":"openEuler-SA-2026-1507", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507" }, { "summary":"CVE-2025-13473", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-13473&packageName=python-django" } ], "title":"openEuler cve CVE-2025-13473", "tracking":{ "initial_release_date":"2026-03-09T15:10:56+08:00", "revision_history":[ { "date":"2026-03-09T15:10:56+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-03-09T15:10:56+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-03-09T15:10:56+08:00", "id":"CVE-2025-13473", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm", "name":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm" }, "name":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm", "name":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm" }, "name":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"python-django-2.2.27-21.oe2003sp4.src.rpm", "name":"python-django-2.2.27-21.oe2003sp4.src.rpm" }, "name":"python-django-2.2.27-21.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-django-help-2.2.27-21.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch", "name":"python-django-help-2.2.27-21.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python3-Django-2.2.27-21.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch", "name":"python3-Django-2.2.27-21.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"python-django-2.2.27-21.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src", "name":"python-django-2.2.27-21.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-13473", "notes":[ { "text":"An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` is vulnerable to a timing attack, allowing remote attackers to enumerate valid usernames. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. This issue has been rated with a severity of \"low\" according to the Django security policy.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1507" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:python-django-help-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python3-Django-2.2.27-21.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:python-django-2.2.27-21.oe2003sp4.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-13473" } ] }