Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends.

2025-10-24 22:26:08 +00:00 · 2020-05-20 11:45:31 +02:00
parent 2dd4d110c1
commit 2c82414914
6 changed files with 66 additions and 45 deletions
--- a/docs/releases/2.2.13.txt
+++ b/docs/releases/2.2.13.txt
@@ -6,6 +6,14 @@ Django 2.2.13 release notes

 Django 2.2.13 fixes two security issues and a regression in 2.2.12.

+CVE-2020-13254: Potential data leakage via malformed memcached keys
+===================================================================
+
+In cases where a memcached backend does not perform key validation, passing
+malformed cache keys could result in a key collision, and potential data
+leakage. In order to avoid this vulnerability, key validation is added to the
+memcached cache backends.
+
 CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
 ================================================================

--- a/docs/releases/3.0.7.txt
+++ b/docs/releases/3.0.7.txt
@@ -6,6 +6,14 @@ Django 3.0.7 release notes

 Django 3.0.7 fixes two security issues and several bugs in 3.0.6.

+CVE-2020-13254: Potential data leakage via malformed memcached keys
+===================================================================
+
+In cases where a memcached backend does not perform key validation, passing
+malformed cache keys could result in a key collision, and potential data
+leakage. In order to avoid this vulnerability, key validation is added to the
+memcached cache backends.
+
 CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
 ================================================================