VDB
CVE-2020-35681
CVE-2020-35681
PUBLISHED
Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0.
EPSS 0.80% · 74.4th percentile
Risk Scores
EPSS Score
0.80%
74.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | python-django-channels | 0, 2.2.0-1, 2.3.0-1 |
| Ubuntu:18.04:LTS | python-django-channels | 0, 1.1.8.1-1 |
Exploit Intelligence
Timeline
- Feb 22, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-35681 third-party-advisory
- https://channels.readthedocs.io/en/latest/releases/3.0.3.html#cve-2020-35681-potential-leakage-of-session-identifiers-using-legacy-asgihandler third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-35681 third-party-advisory