VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 19, 2011· Updated Apr 29, 2026

CVE-2011-4136

CVE-2011-4136

Description

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
< 1.2.71.2.7
DjangoPyPI
>= 1.3, < 1.3.11.3.1

Affected products

22
  • Djangoproject/Django22 versions
    cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 21 more
    • cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.2.6
    • cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*

Patches

2
ac7c3a110f90

[1.2.X] Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly.

https://github.com/django/djangoRussell Keith-MageeSep 10, 2011via ghsa
commit
2 files changed · +15 9
  • django/contrib/sessions/backends/cached_db.py+9 5 modified
    @@ -6,6 +6,8 @@
 from django.contrib.sessions.backends.db import SessionStore as DBStore
 from django.core.cache import cache
 
+KEY_PREFIX = "django.contrib.sessions.cached_db"
+
 class SessionStore(DBStore):
     """
     Implements cached, database backed sessions.
@@ -15,22 +17,24 @@ def __init__(self, session_key=None):
         super(SessionStore, self).__init__(session_key)
 
     def load(self):
-        data = cache.get(self.session_key, None)
+        data = cache.get(KEY_PREFIX + self.session_key, None)
         if data is None:
             data = super(SessionStore, self).load()
-            cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE)
+            cache.set(KEY_PREFIX + self.session_key, data, 
+                      settings.SESSION_COOKIE_AGE)
         return data
 
     def exists(self, session_key):
         return super(SessionStore, self).exists(session_key)
 
     def save(self, must_create=False):
         super(SessionStore, self).save(must_create)
-        cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
+        cache.set(KEY_PREFIX + self.session_key, self._session, 
+                  settings.SESSION_COOKIE_AGE)
 
     def delete(self, session_key=None):
         super(SessionStore, self).delete(session_key)
-        cache.delete(session_key or self.session_key)
+        cache.delete(KEY_PREFIX + (session_key or self.session_key))
 
     def flush(self):
         """
@@ -39,4 +43,4 @@ def flush(self):
         """
         self.clear()
         self.delete(self.session_key)
-        self.create()
\ No newline at end of file
+        self.create()
  • django/contrib/sessions/backends/cache.py+6 4 modified
    @@ -1,6 +1,8 @@
 from django.contrib.sessions.backends.base import SessionBase, CreateError
 from django.core.cache import cache
 
+KEY_PREFIX = "django.contrib.sessions.cache"
+
 class SessionStore(SessionBase):
     """
     A cache-based session store.
@@ -10,7 +12,7 @@ def __init__(self, session_key=None):
         super(SessionStore, self).__init__(session_key)
 
     def load(self):
-        session_data = self._cache.get(self.session_key)
+        session_data = self._cache.get(KEY_PREFIX + self.session_key)
         if session_data is not None:
             return session_data
         self.create()
@@ -37,13 +39,13 @@ def save(self, must_create=False):
             func = self._cache.add
         else:
             func = self._cache.set
-        result = func(self.session_key, self._get_session(no_load=must_create),
+        result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create),
                 self.get_expiry_age())
         if must_create and not result:
             raise CreateError
 
     def exists(self, session_key):
-        if self._cache.has_key(session_key):
+        if self._cache.has_key(KEY_PREFIX + session_key):
             return True
         return False
 
@@ -52,5 +54,5 @@ def delete(self, session_key=None):
             if self._session_key is None:
                 return
             session_key = self._session_key
-        self._cache.delete(session_key)
+        self._cache.delete(KEY_PREFIX + session_key)
fbe2eead2fa9

[1.3.X] Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly.

https://github.com/django/djangoRussell Keith-MageeSep 10, 2011via ghsa
commit
2 files changed · +15 9
  • django/contrib/sessions/backends/cached_db.py+9 5 modified
    @@ -6,6 +6,8 @@
 from django.contrib.sessions.backends.db import SessionStore as DBStore
 from django.core.cache import cache
 
+KEY_PREFIX = "django.contrib.sessions.cached_db"
+
 class SessionStore(DBStore):
     """
     Implements cached, database backed sessions.
@@ -15,22 +17,24 @@ def __init__(self, session_key=None):
         super(SessionStore, self).__init__(session_key)
 
     def load(self):
-        data = cache.get(self.session_key, None)
+        data = cache.get(KEY_PREFIX + self.session_key, None)
         if data is None:
             data = super(SessionStore, self).load()
-            cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE)
+            cache.set(KEY_PREFIX + self.session_key, data, 
+                      settings.SESSION_COOKIE_AGE)
         return data
 
     def exists(self, session_key):
         return super(SessionStore, self).exists(session_key)
 
     def save(self, must_create=False):
         super(SessionStore, self).save(must_create)
-        cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
+        cache.set(KEY_PREFIX + self.session_key, self._session, 
+                  settings.SESSION_COOKIE_AGE)
 
     def delete(self, session_key=None):
         super(SessionStore, self).delete(session_key)
-        cache.delete(session_key or self.session_key)
+        cache.delete(KEY_PREFIX + (session_key or self.session_key))
 
     def flush(self):
         """
@@ -39,4 +43,4 @@ def flush(self):
         """
         self.clear()
         self.delete(self.session_key)
-        self.create()
\ No newline at end of file
+        self.create()
  • django/contrib/sessions/backends/cache.py+6 4 modified
    @@ -1,6 +1,8 @@
 from django.contrib.sessions.backends.base import SessionBase, CreateError
 from django.core.cache import cache
 
+KEY_PREFIX = "django.contrib.sessions.cache"
+
 class SessionStore(SessionBase):
     """
     A cache-based session store.
@@ -10,7 +12,7 @@ def __init__(self, session_key=None):
         super(SessionStore, self).__init__(session_key)
 
     def load(self):
-        session_data = self._cache.get(self.session_key)
+        session_data = self._cache.get(KEY_PREFIX + self.session_key)
         if session_data is not None:
             return session_data
         self.create()
@@ -37,13 +39,13 @@ def save(self, must_create=False):
             func = self._cache.add
         else:
             func = self._cache.set
-        result = func(self.session_key, self._get_session(no_load=must_create),
+        result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create),
                 self.get_expiry_age())
         if must_create and not result:
             raise CreateError
 
     def exists(self, session_key):
-        if self._cache.has_key(session_key):
+        if self._cache.has_key(KEY_PREFIX + session_key):
             return True
         return False
 
@@ -52,5 +54,5 @@ def delete(self, session_key=None):
             if self._session_key is None:
                 return
             session_key = self._session_key
-        self._cache.delete(session_key)
+        self._cache.delete(KEY_PREFIX + session_key)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

15

News mentions

0

No linked articles in our index yet.