{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-35681","title":"Title"},{"category":"description","text":"Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-35681","url":"https://www.suse.com/security/cve/CVE-2020-35681"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1180462 for CVE-2020-35681","url":"https://bugzilla.suse.com/1180462"}],"title":"SUSE CVE CVE-2020-35681","tracking":{"current_release_date":"2025-04-25T05:10:06Z","generator":{"date":"2023-02-15T03:51:10Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-35681","initial_release_date":"2023-02-15T03:51:10Z","revision_history":[{"date":"2023-02-15T03:51:10Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:06:50Z","number":"3","summary":"Current version"},{"date":"2025-02-15T05:44:31Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:07:02Z","number":"5","summary":"Current version"},{"date":"2025-03-15T09:31:11Z","number":"6","summary":"Current version"},{"date":"2025-04-25T05:10:06Z","number":"7","summary":"Current version"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"HPE Helion OpenStack 8","product":{"name":"HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8","product_identification_helper":{"cpe":"cpe:/o:suse:hpe-helion-openstack:8"}}},{"category":"product_name","name":"SUSE Enterprise Storage 5","product":{"name":"SUSE Enterprise Storage 5","product_id":"SUSE Enterprise Storage 5","product_identification_helper":{"cpe":"cpe:/o:suse:ses:5"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 7","product":{"name":"SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:7"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 8","product":{"name":"SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 9","product":{"name":"SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:9"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"python-Django","product":{"name":"python-Django","product_id":"python-Django","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@?upstream=python-Django.src.rpm"}}},{"category":"product_version","name":"python-Django1","product":{"name":"python-Django1","product_id":"python-Django1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django1@?upstream=python-Django1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python-Django as component of HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"HPE Helion OpenStack 8"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of SUSE Enterprise Storage 5","product_id":"SUSE Enterprise Storage 5:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"SUSE Enterprise Storage 5"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"SUSE OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"python-Django1 as component of SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9:python-Django1"},"product_reference":"python-Django1","relates_to_product_reference":"SUSE OpenStack Cloud 9"},{"category":"default_component_of","full_product_name":{"name":"python-Django as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:python-Django"},"product_reference":"python-Django","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"python-Django1 as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:python-Django1"},"product_reference":"python-Django1","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2020-35681","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-35681"}],"notes":[{"category":"general","text":"Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing, responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data. Note that this affects only the legacy Channels provided class, and not Django's similar ASGIHandler, available from Django 3.0.","title":"CVE description"}],"product_status":{"known_not_affected":["HPE Helion OpenStack 8:python-Django","SUSE Enterprise Storage 5:python-Django","SUSE OpenStack Cloud 7:python-Django","SUSE OpenStack Cloud 8:python-Django","SUSE OpenStack Cloud 9:python-Django1","SUSE OpenStack Cloud Crowbar 8:python-Django","SUSE OpenStack Cloud Crowbar 9:python-Django1"]},"references":[{"category":"external","summary":"CVE-2020-35681","url":"https://www.suse.com/security/cve/CVE-2020-35681"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1180462 for CVE-2020-35681","url":"https://bugzilla.suse.com/1180462"}],"threats":[{"category":"impact","date":"2020-12-30T13:50:21Z","details":"important"}],"title":"CVE-2020-35681"}]}