| Title | Django Channels における情報漏えいに関する脆弱性 |
|---|---|
| Summary | Django Channels には、情報漏えいに関する脆弱性が存在します。 |
| Possible impacts | 情報を取得される、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Dec. 24, 2020, midnight |
| Registration Date | Nov. 12, 2021, 12:20 p.m. |
| Last Update | Nov. 12, 2021, 12:20 p.m. |
| CVSS3.0 : 重要 | |
| Score | 7.4 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
| CVSS2.0 : 警告 | |
| Score | 5.8 |
|---|---|
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:P |
| Django Software Foundation |
| Channels 3.0.3 未満の 3.x |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2021年11月12日] 掲載 |
Nov. 12, 2021, 12:20 p.m. |
| Summary | Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0. |
|---|---|
| Publication Date | Feb. 22, 2021, 12:15 p.m. |
| Registration Date | Feb. 22, 2021, 5:28 p.m. |
| Last Update | Nov. 21, 2024, 2:27 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:djangoproject:channels:*:*:*:*:*:*:*:* | 3.0.0 | 3.0.3 | |||