CVE-2011-4136

Django <1.2.7 & <1.3.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

References (8)

Core 8
Core References
Various Sources vendor-advisory x_refsource_suse
https://hermes.opensuse.org/messages/14700881
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2332
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46614
Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/09/11/1
Patch mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/09/13/2
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2011/sep/09/

Scores

EPSS 0.0228
EPSS Percentile 81.1%

Details

CWE
CWE-20
Status published
Products (20)
djangoproject/django 0.91
djangoproject/django 0.95
djangoproject/django 0.95.1
djangoproject/django 0.96
djangoproject/django 1.0
djangoproject/django 1.0.1
djangoproject/django 1.0.2
djangoproject/django 1.1
djangoproject/django 1.1.0
djangoproject/django 1.1.2
... and 10 more
Published Oct 19, 2011
Tracked Since Feb 18, 2026