CVE-2007-0405
EPSS 0.76%Django Improper Access Control
Published: 5/1/2022Modified: 4/28/2026
Description
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
Affected packages (2)
- Debian/python-djangofrom 0, < 0.95.1-1
- PyPI/django>= 0.95, < 1.0
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2007-0405
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2007-0405
- PATCHhttps://github.com/django/django
- WEBhttp://code.djangoproject.com/changeset/3754
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/31628
- WEBhttps://github.com/django/django/commit/3c5782287e
- WEBhttps://github.com/django/django/commit/e89f0a65581f82a5740bfe989136cea75d09cd67