CVE-2011-4136
Last modified
CVE-2011-4136 is a vulnerability of currently unknown severity. django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.. EPSS estimates a 2.28% chance of exploitation in the next 30 days.
Description
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | <= 1.2.6 |
| Djangoproject | Django | 0.91 |
| Djangoproject | Django | 0.95 |
| Djangoproject | Django | 0.95.1 |
| Djangoproject | Django | 0.96 |
| Djangoproject | Django | 1.0 |
| Djangoproject | Django | 1.0.1 |
| Djangoproject | Django | 1.0.2 |
| Djangoproject | Django | 1.1 |
| Djangoproject | Django | 1.1.0 |
| Djangoproject | Django | 1.1.2 |
| Djangoproject | Django | 1.1.3 |
| Djangoproject | Django | 1.2 |
| Djangoproject | Django | 1.2.1 |
| Djangoproject | Django | 1.2.2 |
| Djangoproject | Django | 1.2.3 |
| Djangoproject | Django | 1.2.4 |
| Djangoproject | Django | 1.2.5 |
| Djangoproject | Django | 1.3 |
References
- https://www.djangoproject.com/weblog/2011/sep/09/Patch, Vendor Advisory
- https://www.djangoproject.com/weblog/2011/sep/09/Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2011-4136?
How severe is CVE-2011-4136?
How do I fix CVE-2011-4136?
Are you affected by CVE-2011-4136?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST