CVE-2011-4136
published 2011-10-19CVE-2011-4136: django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session…
PriorityP428medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EPSS
2.28%
81.0th percentile
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.3.1-1 (bookworm) | python-django 1.3.1-1 (bookworm) |
| djangoproject | django | <= 1.2.6 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.2.7 | 1.2.7 |
| djangoproject | django | >= 1.3 < 1.3.1 | 1.3.1 |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv5.8MEDIUM
vendor_debian5.8MEDIUM
vendor_ubuntu5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Session manipulation in Django
osv·2018-07-23
CVE-2011-4136 [MEDIUM] Session manipulation in Django
Session manipulation in Django
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
GHSA
Session manipulation in Django
ghsa·2018-07-23
CVE-2011-4136 [MEDIUM] CWE-20 Session manipulation in Django
Session manipulation in Django
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
OSV
CVE-2011-4136: django
osv·2011-10-19·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136: django
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2011-12-09·CVSS 5.8
CVE-2011-4136 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Applications using Django could be made to crash or expose sensitive
information.
Pall McMillan discovered that Django used the root namespace when storing
cached session data. A remote attacker could exploit this to modify
sessions. (CVE-2011-4136)
Paul McMillan discovered that Django would not timeout on arbitrary URLs
when the application used URLFields. This could be exploited by a remote
attacker to cause a denial of service via resource exhaustion.
(CVE-2011-4137)
Paul McMillan discovered that while Django would check the validity of a
URL via a HEAD request, it would instead use a GET request for the target
of a redirect. This could potentially be used to trigger arbitrary GET
requests via a crafted Location header. (CVE-2011-4138)
It was
Debian
CVE-2011-4136: python-django - django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when sess...
vendor_debian·2011·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136: python-django - django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when sess...
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Scope: local
bookworm: resolved (fixed in 1.3.1-1)
bullseye: resolved (fixed in 1.3.1-1)
forky: resolved (fixed in 1.3.1-1)
sid: resolved (fixed in 1.3.1-1)
trixie: resolved (fixed in 1.3.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
bugzilla·2011-09-30·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
epel-6 tracking bug for Django: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
Missed the 1.2.7 errata announcement, my apologies.
---
Django-1.2.7-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/Django-1.2.7-1.el6
---
Package Django-1.2.7-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=ep
Bugzilla
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
bugzilla·2011-09-11·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
Multiple security flaws have been recently addressed in the v1.3.1 and v1.2.7 versions of the Django Python Web framework (from [1]):
1, Session manipulation,
2, Denial of service attack via URLField,
3, URLField redirection,
4, Host header cache poisoning,
5, Host header and CSRF,
6, Cross-subdomain CSRF attacks,
7, DEBUG pages and sensitive POST data
References:
[1] https://www.djangoproject.com/weblog/2011/sep/09/
Discussion:
Created attachment 522611
Local text copy of Django upstream archive post from 2011-09-09
---
CVE(s) Request:
[2] http://www.openwall.com/lists/oss-security/2011/09/11/1
---
These issues are scheduled to be addressed in the following releases
http://openwall.com/lists/oss-security/2011/09/11/1http://openwall.com/lists/oss-security/2011/09/13/2http://secunia.com/advisories/46614http://www.debian.org/security/2011/dsa-2332https://bugzilla.redhat.com/show_bug.cgi?id=737366https://hermes.opensuse.org/messages/14700881https://www.djangoproject.com/weblog/2011/sep/09/https://www.djangoproject.com/weblog/2011/sep/10/127/http://openwall.com/lists/oss-security/2011/09/11/1http://openwall.com/lists/oss-security/2011/09/13/2http://secunia.com/advisories/46614http://www.debian.org/security/2011/dsa-2332https://bugzilla.redhat.com/show_bug.cgi?id=737366https://hermes.opensuse.org/messages/14700881https://www.djangoproject.com/weblog/2011/sep/09/https://www.djangoproject.com/weblog/2011/sep/10/127/
2011-10-19
Published