CVE-2011-0698
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2011-0698
Vendor advisory: secalert@redhat.com — http://www.djangoproject.com/weblog/2011/feb/08/security/
Vendor advisory: secalert@redhat.com — http://openwall.com/lists/oss-security/2011/02/09/6
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2011-0698
- https://github.com/django/django/commit/194566480b15cf4e294d3f03ff587019b74044b2
- https://github.com/django/django/commit/570a32a047ea56265646217264b0d3dab1a14dbd
- https://github.com/advisories/GHSA-7g9h-c88w-r7h2
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2011-12.yaml
- https://web.archive.org/web/20110521033259/http://secunia.com/advisories/43230
- https://web.archive.org/web/20130616104703/http://www.securityfocus.com/bid/46296
- http://openwall.com/lists/oss-security/2011/02/09/6
- http://www.djangoproject.com/weblog/2011/feb/08/security
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:031
- http://secunia.com/advisories/43230
- http://www.djangoproject.com/weblog/2011/feb/08/security/
- http://www.securityfocus.com/bid/46296
- http://www.vupen.com/english/advisories/2011/0372
- http://www.vupen.com/english/advisories/2011/0439
- https://security-tracker.debian.org/tracker/CVE-2011-0698
CWEs
CWE-22
Verify integrity in audit chain (admin only). AS-IS.