CVE-2011-4136

2011-10-1910:55:00

CWE-20

[email protected]

web.nvd.nist.gov

cve

2011

4136

django

sessions

security vulnerability

remote attackers

6.2 Medium

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.018 Low

EPSS

Percentile

88.1%

JSON

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session’s identifier.

CPENameOperatorVersion
djangoproject:djangodjangoproject djangole1.2.6
djangoproject:djangodjangoproject djangoeq1.2.5
djangoproject:djangodjangoproject djangoeq0.95
djangoproject:djangodjangoproject djangoeq1.0
djangoproject:djangodjangoproject djangoeq1.3
djangoproject:djangodjangoproject djangoeq1.1.2
djangoproject:djangodjangoproject djangoeq1.0.1
djangoproject:djangodjangoproject djangoeq1.1
djangoproject:djangodjangoproject djangoeq1.2.1
djangoproject:djangodjangoproject djangoeq1.2.4

CPE	Name	Operator	Version
djangoproject:django	djangoproject django	le	1.2.6
djangoproject:django	djangoproject django	eq	1.2.5
djangoproject:django	djangoproject django	eq	0.95
djangoproject:django	djangoproject django	eq	1.0
djangoproject:django	djangoproject django	eq	1.3
djangoproject:django	djangoproject django	eq	1.1.2
djangoproject:django	djangoproject django	eq	1.0.1
djangoproject:django	djangoproject django	eq	1.1
djangoproject:django	djangoproject django	eq	1.2.1
djangoproject:django	djangoproject django	eq	1.2.4