CVE-2014-0482

Django <1.4.14-1.7 - Auth Bypass

Title source: llm

Description

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

References (6)

[Mailing List] http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html

[Vendor Advisory] https://www.djangoproject.com/weblog/2014/aug/20/security/

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3010

[Third Party Advisory] http://secunia.com/advisories/59782

[Third Party Advisory] http://secunia.com/advisories/61276

[Third Party Advisory] http://secunia.com/advisories/61281

Scores

EPSS 0.0071

EPSS Percentile 72.0%

Classification

CWE

CWE-287

Status draft

Affected Products (43)

opensuse/opensuse

opensuse/opensuse

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django

djangoproject/django < 1.4.13

djangoproject/django

djangoproject/django

... and 28 more

Timeline

Published Aug 26, 2014

Tracked Since Feb 18, 2026