{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-04T17:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"}, {"name": "61276", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/61276"}, {"name": "61281", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/61281"}, {"name": "openSUSE-SU-2014:1132", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"}, {"name": "DSA-3010", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-3010"}, {"name": "59782", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59782"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2014-0482", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.djangoproject.com/weblog/2014/aug/20/security/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"}, {"name": "61276", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61276"}, {"name": "61281", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61281"}, {"name": "openSUSE-SU-2014:1132", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"}, {"name": "DSA-3010", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-3010"}, {"name": "59782", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59782"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:20:18.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"}, {"name": "61276", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/61276"}, {"name": "61281", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/61281"}, {"name": "openSUSE-SU-2014:1132", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"}, {"name": "DSA-3010", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-3010"}, {"name": "59782", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59782"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2014-0482", "datePublished": "2014-08-26T14:00:00", "dateReserved": "2013-12-19T00:00:00", "dateUpdated": "2024-08-06T09:20:18.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*", "matchCriteriaId": "29477EEA-D5F8-45A9-9777-8A6BC7C668A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*", "matchCriteriaId": "A83451BD-1D67-4A7F-A62C-F597E51FCC21", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*", "matchCriteriaId": "0300DC0D-5DD0-42B5-9FE0-54DC557EA40D", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*", "matchCriteriaId": "85A2021F-B2AF-40DC-9FA2-5F90D2EB813E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*", "matchCriteriaId": "07B12D68-BB49-4931-9D9E-D8134FC0B350", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "0CC369A0-0092-450D-91E9-13C7AF7EBC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B6B7974-ABEF-4E0C-8503-6E9C22D28C78", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "55460F1D-661B-465C-8A22-E4E6DA2834B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "9FD4FB46-3A98-4B9B-A241-C39E2C2A0FEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "FF87FDAB-51A2-41C4-A4C4-5180B0230C3F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EA690BD-2FBA-425B-AC6F-046081E21183", "versionEndIncluding": "1.4.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "9A79FF7F-8F92-4FEB-96CC-6B15D0CE920D", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "13EF02D4-406C-4146-9B8F-FAC906E7B6E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "DC462CE5-1BE0-41E0-A28D-291350F021AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "4166ADA9-D5B4-47D6-BD93-C98841108275", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "080D43D0-C0FF-4F89-910C-D466943816C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "E04AE832-9059-42AB-AD39-D01E7A633615", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*", "matchCriteriaId": "693EEF6B-810B-4684-9AB5-1BDC95DFA4CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "C9EF4268-0DB7-4150-B8E7-53C6D7F02E04", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "C571F85F-9F49-48B6-9AD9-16CD81655F73", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "41F0F1FA-E3EC-421C-9F72-11FC857F6F72", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "D4031E5F-B5D6-4E7D-96FC-A4ACF9C306A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.12:*:*:*:*:*:*:*", "matchCriteriaId": "7B1577DD-B40E-404B-8E55-3A93AB8A8F62", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*", "matchCriteriaId": "BB1EF6D7-0AF4-4146-BA37-961F7048C1C0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*", "matchCriteriaId": "5E4CCE84-425C-4B9C-98B7-D858B64B3418", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*", "matchCriteriaId": "B6B77FCE-F26A-41CB-8D72-E9EF0E352288", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.7:beta4:*:*:*:*:*:*", "matchCriteriaId": "985884FE-AEB9-4D93-806E-ADFCC576FF99", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.7:rc1:*:*:*:*:*:*", "matchCriteriaId": "D81EE1B4-9CB4-4776-A7CE-44B023C67CA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.7:rc2:*:*:*:*:*:*", "matchCriteriaId": "81798B3D-A000-40D5-A369-C9A0BEF79A5E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "CCDB4B76-6541-4405-B74C-3EEAF84A04E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*", "matchCriteriaId": "8A26B113-8D22-46E5-92C3-12134A68A21E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*", "matchCriteriaId": "0D99FB28-08F3-45B4-8C04-90074FBC2457", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "4E2A29CC-A92B-4EC1-8225-408A5048C033", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "73317E26-AA3A-4437-9261-CE76BC1A0749", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "E6046CEB-6CF5-406F-BF6B-4D8C24DDA6FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "A666B9E5-EA1B-4FA9-A685-61ECF26CB084", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "8EB3FED4-C50A-4449-9A7B-552CFB02F860", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "5B4F3D5C-5768-48F1-8A39-1B87EC061F37", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "B10E08DF-6B92-452A-876B-DC8D376B0B41", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5.8:*:*:*:*:*:*:*", "matchCriteriaId": "DFC18F77-77CB-45CB-869E-267DACD19601", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."}, {"lang": "es", "value": "El middleware contrib.auth.middleware.RemoteUserMiddleware en Django anterior a 1.4.14, 1.5.x anterior a 1.5.9, 1.6.x anterior a 1.6.6, y 1.7 anterior a release candidate 3, cuando utiliza el backend contrib.auth.backends.RemoteUserBackend, permite a usuarios remotos autenticados secuestrar sesiones web a trav\u00e9s de vectores relacionados con la cabecera REMOTE_USER."}], "id": "CVE-2014-0482", "lastModified": "2018-10-30T16:27:34.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-08-26T14:55:05.297", "references": [{"source": "security@debian.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"}, {"source": "security@debian.org", "url": "http://secunia.com/advisories/59782"}, {"source": "security@debian.org", "url": "http://secunia.com/advisories/61276"}, {"source": "security@debian.org", "url": "http://secunia.com/advisories/61281"}, {"source": "security@debian.org", "url": "http://www.debian.org/security/2014/dsa-3010"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2014/aug/20/security/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank upstream Django project for reporting this issue. Upstream acknowledges David Greisen as the original reporter.", "bugzilla": {"description": "Django: RemoteUserMiddleware session hijacking", "id": "1129954", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129954"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "details": ["The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header."], "name": "CVE-2014-0482", "package_state": [{"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Affected", "package_name": "Django14", "product_name": "Red Hat OpenStack Platform 4"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "Django", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2014-08-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0482\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0482\nhttps://www.djangoproject.com/weblog/2014/aug/20/security/"], "threat_severity": "Moderate", "upstream_fix": "django 1.4.14, django 1.5.9, django 1.6.6, django 1.7-rc3"}