CVE-2007-0405
published 2007-01-23CVE-2007-0405: The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated…
PriorityP426medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EPSS
1.19%
64.1th percentile
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 0.95.1-1 (bookworm) | python-django 0.95.1-1 (bookworm) |
| django_project | django | — | — |
| djangoproject | django | >= 0.95 < 1.0 | 1.0 |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Improper Access Control
ghsa·2022-05-01
CVE-2007-0405 [MEDIUM] Django Improper Access Control
Django Improper Access Control
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
OSV
Django Improper Access Control
osv·2022-05-01
CVE-2007-0405 [MEDIUM] Django Improper Access Control
Django Improper Access Control
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
OSV
CVE-2007-0405: The LazyUser class in the AuthenticationMiddleware for Django 0
osv·2007-01-23·CVSS 6.5
CVE-2007-0405 [MEDIUM] CVE-2007-0405: The LazyUser class in the AuthenticationMiddleware for Django 0
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
Debian
CVE-2007-0405: python-django - The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not prop...
vendor_debian·2007·CVSS 6.5
CVE-2007-0405 [MEDIUM] CVE-2007-0405: python-django - The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not prop...
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
Scope: local
bookworm: resolved (fixed in 0.95.1-1)
bullseye: resolved (fixed in 0.95.1-1)
forky: resolved (fixed in 0.95.1-1)
sid: resolved (fixed in 0.95.1-1)
trixie: resolved (fixed in 0.95.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://code.djangoproject.com/changeset/3754http://secunia.com/advisories/23826http://www.securityfocus.com/bid/22138https://exchange.xforce.ibmcloud.com/vulnerabilities/31628http://code.djangoproject.com/changeset/3754http://secunia.com/advisories/23826http://www.securityfocus.com/bid/22138https://exchange.xforce.ibmcloud.com/vulnerabilities/31628
2007-01-23
Published