Vulnerability Description
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | <= 1.2.6 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2011/09/11/1Patch
- http://openwall.com/lists/oss-security/2011/09/13/2Patch
- http://secunia.com/advisories/46614
- http://www.debian.org/security/2011/dsa-2332
- https://bugzilla.redhat.com/show_bug.cgi?id=737366Patch
- https://hermes.opensuse.org/messages/14700881
- https://www.djangoproject.com/weblog/2011/sep/09/PatchVendor Advisory
- https://www.djangoproject.com/weblog/2011/sep/10/127/Patch
- http://openwall.com/lists/oss-security/2011/09/11/1Patch
- http://openwall.com/lists/oss-security/2011/09/13/2Patch
- http://secunia.com/advisories/46614
- http://www.debian.org/security/2011/dsa-2332
- https://bugzilla.redhat.com/show_bug.cgi?id=737366Patch
- https://hermes.opensuse.org/messages/14700881
- https://www.djangoproject.com/weblog/2011/sep/09/PatchVendor Advisory
FAQ
What is CVE-2011-4136?
CVE-2011-4136 is a vulnerability with a CVSS score of 5.8 (MEDIUM). django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which a...
How severe is CVE-2011-4136?
CVE-2011-4136 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-4136?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django.