CVE-2020-35681

Name of the Vulnerable Software and Affected Versions: Django Channels versions 3.0.0 through 3.0.2

Description: The legacy channels.http.AsgiHandler class in Django Channels did not correctly separate request scopes, potentially allowing remote attackers to obtain sensitive information from a different request scope. This could result in a crash, but with correct timing, responses could be sent to the wrong client, leading to potential leakage of session identifiers and other sensitive data. This issue affects only the legacy Channels provided class and not Django's similar ASGIHandler available from Django 3.0.

Recommendations: For Django Channels versions 3.0.0 through 3.0.2, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the legacy channels.http.AsgiHandler class until a patch is available. Restrict access to sensitive data and session identifiers to minimize the risk of exploitation.