CVE-2007-0405: Django Improper Access Control

May 1, 2022 (updated April 9, 2025)

The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.

References

exchange.xforce.ibmcloud.com/vulnerabilities/31628
github.com/advisories/GHSA-mwv2-398h-v489
github.com/django/django
github.com/django/django/commit/3c5782287e
github.com/django/django/commit/e89f0a65581f82a5740bfe989136cea75d09cd67
nvd.nist.gov/vuln/detail/CVE-2007-0405

Code Behaviors & Features

Detect and mitigate CVE-2007-0405 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →