CVE-2011-4136Improper Input Validation in Django

CWE-20Improper Input Validation9 documents7 sources
Severity
5.8MEDIUMNVD
EPSS
1.2%
top 21.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedOct 19
Latest updateJul 23

Description

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

PyPIdjangoproject/django1.31.3.1+1
NVDdjangoproject/django1.2.6+18

Patches

Patch: openwall.comPatch: openwall.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
Session manipulation in Django2018-07-23
GHSA
Session manipulation in Django2018-07-23
CVEList
CVE-2011-4136: django2011-10-19
OSV
CVE-2011-4136: django2011-10-19

📋Vendor Advisories

2
Ubuntu
Django vulnerabilities2011-12-09
Debian
CVE-2011-4136: python-django - django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when sess...2011

💬Community

2
Bugzilla
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]2011-09-30
Bugzilla
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws2011-09-11
CVE-2011-4136 — Improper Input Validation in Django | cvebase