Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2011-4136

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2011091...
MLIST: [oss-security] 2011091...
CONFIRM: https://bugzilla.redha...
CONFIRM: https://www.djangoproj...
CONFIRM: https://www.djangoproj...
DEBIAN: DSA-2332
SECUNIA: 46614
SUSE: openSUSE-SU-2012:0653

Launchpad.net

CVE 2011-4136

Related bugs

References