Lucene search

GitHub Advisory DatabaseGHSA-625G-GX8C-XCMG

HistoryMay 14, 2022 - 2:09 a.m.

Django Middleware Enables Session Hijacking

2022-05-1402:09:22

CWE-287

GitHub Advisory Database

github.com

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.9%

JSON

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

CPENameOperatorVersion
djangolt1.6.6
djangolt1.5.9
djangolt1.4.14

Name	Operator	Version
django	lt	1.6.6
django	lt	1.5.9
django	lt	1.4.14

References

lists.opensuse.org/opensuse-updates/2014-09/msg00023.html

www.debian.org/security/2014/dsa-3010

github.com/advisories/GHSA-625g-gx8c-xcmg

github.com/django/django/blob/aa3cb3f37265be37d892e2b391ff023e9caee2a4/docs/releases/1.5.9.txt#L42

github.com/django/django/commit/0268b855f9eab3377f2821164ef3e66037789e09

github.com/django/django/commit/5307ce565fbedb9cc27cbe7c757b41a00438d37c

github.com/django/django/commit/c9e3b9949cd55f090591fbdc4a114fcb8368b6d9

github.com/django/django/commit/dd68f319b365f6cb38c5a6c106faf4f6142d7d88

nvd.nist.gov/vuln/detail/CVE-2014-0482

www.djangoproject.com/weblog/2014/aug/20/security/

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.9%

JSON

Related for GHSA-625G-GX8C-XCMG