The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
| Score | Percentile |
|---|---|
| 0.76% | 72.92% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-mwv2-398h-v489 ↗ |
| CVE | CVE-2007-0405 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | Django | = 0.95 | 1.0 | — |