CVE-2014-0482

MEDIUM severity · CVSS 6 · Improper authentication

6CVSS MEDIUM

Summary

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impact—

Exploit probability (EPSS)1%

AV:N/AC:M/Au:S/C:P/I:P/A:P

Affected products we track (1)

Django

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://www.djangoproject.com/weblog/2014/aug/20/security/Advisory
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
http://secunia.com/advisories/59782
http://secunia.com/advisories/61276
http://secunia.com/advisories/61281
http://www.debian.org/security/2014/dsa-3010
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
http://secunia.com/advisories/59782