CVE-2020-35681 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-35681 Interim 1 11 2025-02-17T01:07:16Z current 2021-05-30T14:45:55Z 2025-02-17T01:07:16Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-35681 Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE Enterprise Storage 5 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 python-Django python-Django1 python-Django as a component of HPE Helion OpenStack 8 python-Django as a component of SUSE Enterprise Storage 5 python-Django as a component of SUSE OpenStack Cloud 7 python-Django as a component of SUSE OpenStack Cloud 8 python-Django1 as a component of SUSE OpenStack Cloud 9 python-Django as a component of SUSE OpenStack Cloud Crowbar 8 python-Django1 as a component of SUSE OpenStack Cloud Crowbar 9 Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0. CVE-2020-35681 HPE Helion OpenStack 8:python-Django SUSE Enterprise Storage 5:python-Django SUSE OpenStack Cloud 7:python-Django SUSE OpenStack Cloud 8:python-Django SUSE OpenStack Cloud 9:python-Django1 SUSE OpenStack Cloud Crowbar 8:python-Django SUSE OpenStack Cloud Crowbar 9:python-Django1 important 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H