#VU41379 Improper Authentication in Opensuse and Django - CVE-2014-0482

Cybersecurity Help s.r.o.

Published: 2014-08-26 | Updated: 2020-08-10

Vulnerability identifier: #VU41379

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-0482

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Opensuse
Operating systems & Components / Operating system
Django
Web applications / CMS

Vendor: SUSE
Django Software Foundation

Description

The vulnerability allows a remote #AU# to read and manipulate data.

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Opensuse: 12.3 - 13.1

Django: 1.4 - 13.1

External links
https://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
https://secunia.com/advisories/59782
https://secunia.com/advisories/61276
https://secunia.com/advisories/61281
https://www.debian.org/security/2014/dsa-3010
https://www.djangoproject.com/weblog/2014/aug/20/security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Django

Fedora EPEL 6 update for Django14