CVE-2014-0482
published 2014-08-26CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate…
PriorityP427medium6CVSS 2.0
AVNACMAuSCPIPAP
EPSS
1.96%
77.8th percentile
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.6.6-1 (bookworm) | python-django 1.6.6-1 (bookworm) |
| djangoproject | django | <= 1.4.13 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_debian6.0MEDIUM
vendor_redhat6.0MEDIUM
vendor_ubuntu5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Middleware Enables Session Hijacking
osv·2022-05-14
CVE-2014-0482 [MEDIUM] Django Middleware Enables Session Hijacking
Django Middleware Enables Session Hijacking
The `contrib.auth.middleware.RemoteUserMiddleware` middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the `contrib.auth.backends.RemoteUserBackend` backend, allows remote authenticated users to hijack web sessions via vectors related to the `REMOTE_USER` header.
GHSA
Django Middleware Enables Session Hijacking
ghsa·2022-05-14
CVE-2014-0482 [MEDIUM] CWE-287 Django Middleware Enables Session Hijacking
Django Middleware Enables Session Hijacking
The `contrib.auth.middleware.RemoteUserMiddleware` middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the `contrib.auth.backends.RemoteUserBackend` backend, allows remote authenticated users to hijack web sessions via vectors related to the `REMOTE_USER` header.
OSV
python-django vulnerabilities
osv·2014-09-16·CVSS 5.8
CVE-2014-0480 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)
David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)
David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)
Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interface.
A remote authenticated user could use this issue to
OSV
CVE-2014-0482: The contrib
osv·2014-08-26·CVSS 6.0
CVE-2014-0482 [MEDIUM] CVE-2014-0482: The contrib
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2014-09-16·CVSS 5.8
CVE-2014-0480 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)
David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)
David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)
Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interfa
Red Hat
Django: RemoteUserMiddleware session hijacking
vendor_redhat·2014-08-20·CVSS 6.0
CVE-2014-0482 [MEDIUM] Django: RemoteUserMiddleware session hijacking
Django: RemoteUserMiddleware session hijacking
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Affected
Package: Django14 (Red Hat OpenStack Platform 4) - Affected
Package: Django (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2014-0482: python-django - The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4...
vendor_debian·2014·CVSS 6.0
CVE-2014-0482 [MEDIUM] CVE-2014-0482: python-django - The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4...
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Scope: local
bookworm: resolved (fixed in 1.6.6-1)
bullseye: resolved (fixed in 1.6.6-1)
forky: resolved (fixed in 1.6.6-1)
sid: resolved (fixed in 1.6.6-1)
trixie: resolved (fixed in 1.6.6-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 Django14: various flaws [epel-6]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 Django14: various flaws [epel-6]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 Django14: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for Django14: see bl
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django: various flaws [fedora-all]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django: various flaws [fedora-all]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-6]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-6]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for python-dj
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [fedora-20]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [fedora-20]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [fedora-20]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-20 tracking bug for python-d
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-7]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-7]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django15: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for python-dj
Bugzilla
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django14: various flaws [fedora-all]
bugzilla·2014-08-22·CVSS 5.8
CVE-2014-0480 [MEDIUM] CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django14: various flaws [fedora-all]
CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django14: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2014-0482 Django: RemoteUserMiddleware session hijacking
bugzilla·2014-08-14·CVSS 6.0
CVE-2014-0482 [MEDIUM] CVE-2014-0482 Django: RemoteUserMiddleware session hijacking
CVE-2014-0482 Django: RemoteUserMiddleware session hijacking
The Django project reports the following issue:
""
Django provides a middleware --
``django.contrib.auth.middleware.RemoteUserMiddleware`` -- and an
authentication backend,
``django.contrib.auth.backends.RemoteUserBackend``, which use the
``REMOTE_USER`` header for authentication purposes.
In some circumstances, use of this middleware and backend could result
in one user receiving another user's session, if a change to the
``REMOTE_USER`` header occurred without corresponding logout/login
actions.
To remedy this, the middleware will now ensure that a change to
``REMOTE_USER`` without an explicit logout will force a logout and
subsequent login prior to accepting the new ``REMOTE_USER``.
""
This issue is due to be resolved in
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.htmlhttp://secunia.com/advisories/59782http://secunia.com/advisories/61276http://secunia.com/advisories/61281http://www.debian.org/security/2014/dsa-3010https://www.djangoproject.com/weblog/2014/aug/20/security/http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.htmlhttp://secunia.com/advisories/59782http://secunia.com/advisories/61276http://secunia.com/advisories/61281http://www.debian.org/security/2014/dsa-3010https://www.djangoproject.com/weblog/2014/aug/20/security/
2014-08-26
Published