GitHub Advisory DatabaseGHSA-WPJR-J57X-WXFWData leakage via cache key collision in Django
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.5%
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
References
docs.djangoproject.com/en/3.0/releases/security/
github.com/advisories/GHSA-wpjr-j57x-wxfw
github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206
github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693
groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
lists.debian.org/debian-lts-announce/2020/06/msg00016.html
lists.fedoraproject.org/archives/list/[email protected]/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
nvd.nist.gov/vuln/detail/CVE-2020-13254
security.netapp.com/advisory/ntap-20200611-0002/
usn.ubuntu.com/4381-1/
usn.ubuntu.com/4381-2/
www.debian.org/security/2020/dsa-4705
www.djangoproject.com/weblog/2020/jun/03/security-releases/
www.oracle.com/security-alerts/cpujan2021.html
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.5%