GHSA-625g-gx8c-xcmg

Source

https://github.com/advisories/GHSA-625g-gx8c-xcmg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-625g-gx8c-xcmg/GHSA-625g-gx8c-xcmg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-625g-gx8c-xcmg

Aliases

Published

2022-05-14T02:09:22Z

Modified

2024-09-18T16:25:46.585453Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Django Middleware Enables Session Hijacking

Details

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.14

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.3

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

Ecosystem specific

{
    "affected_functions": [
        "django.contrib.auth.middleware.RemoteUserMiddleware.process_request"
    ]
}

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5

Fixed

1.5.9

Affected versions

1.*

1.5

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

Ecosystem specific

{
    "affected_functions": [
        "django.contrib.auth.middleware.RemoteUserMiddleware.process_request"
    ]
}

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6

Fixed

1.6.6

Affected versions

1.*

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

Ecosystem specific

{
    "affected_functions": [
        "django.contrib.auth.middleware.RemoteUserMiddleware.process_request"
    ]
}