CVE-2007-0405 — Django Improper Access Control

Description

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.

How to fix CVE-2007-0405

To remediate CVE-2007-0405, upgrade the affected package to a fixed version below.

Debian/python-django—upgrade to 0.95.1-1 or later
PyPI/django—upgrade to 1.0 or later

Is CVE-2007-0405 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.95.1-1
>= 0.95, < 1.0

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-0405
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-0405
PATCHgithub.com/django/django
WEBcode.djangoproject.com/changeset/3754
WEB