Bug 1843614 (CVE-2020-13254) - CVE-2020-13254 django: potential data leakage via malformed memcached keys
Summary: CVE-2020-13254 django: potential data leakage via malformed memcached keys
Keywords:
Status: NEW
Alias: CVE-2020-13254
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1843618 1843620 1845340 1845342 1845442 1845455 1843616 1843617 1843619 1844992 1845341 1845729 1852453
Blocks: 1843622
TreeView+ depends on / blocked
 
Reported: 2020-06-03 16:41 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-09-10 21:20 UTC (History)
34 users (show)

Fixed In Version: Django-3.0.7, Django-2.2.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django, where the memcached backend does not perform key validation and passes malformed keys. This flaw causes a key collision and potential data leakage. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-06-03 16:41:32 UTC
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

Reference:
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2020-06-03 16:42:11 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1843620]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1843616]
Affects: fedora-all [bug 1843617]
Affects: openstack-rdo [bug 1843619]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1843618]

Comment 3 Yadnyawalk Tale 2020-06-08 09:47:25 UTC
External References:

https://www.djangoproject.com/weblog/2020/jun/03/security-releases

Comment 8 Riccardo Schirone 2020-06-09 09:08:59 UTC
Created python2-django1.11 tracking bugs for this issue:

Affects: fedora-all [bug 1845442]

Comment 14 Hardik Vyas 2020-06-30 13:09:20 UTC
Statement:

Red Hat Satellite 6 ships affected python-django, however, it does not use memcached implementation in product code hence not vulnerable to this flaw.

Red Hat Update Infrastructure 3 ships an affected version of python-django, however it does not use memcached as a cache backend and it is not vulnerable to this flaw.

Red Hat Ceph Storage(RHCS) ships an affected version of python-django used with calamari and graphite which are no longer supported, hence the django package will not be fixed for RHCS.


Note You need to log in before you can comment on or make changes to this bug.