PT-2014-4178 · Django Software Foundation+1 · Django+1

James Westby

Published

2014-05-14

Updated

2022-05-17

CVE-2014-1418

CVSS v4.0

9.1

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 1.4 through 1.4.12 Django versions 1.5 through 1.5.7 Django versions 1.6 through 1.6.4 Django versions 1.7 before 1.7b4

Description The issue allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers, due to the improper inclusion of the Vary: Cookie or Cache-Control header in responses.

Recommendations For Django versions 1.4 through 1.4.12, update to version 1.4.13 or later. For Django versions 1.5 through 1.5.7, update to version 1.5.8 or later. For Django versions 1.6 through 1.6.4, update to version 1.6.5 or later. For Django versions 1.7 before 1.7b4, update to version 1.7b4 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-349

Related Identifiers

CVE-2014-1418

DSA-2934-1

GHSA-Q7Q2-QF2Q-RW3W

MGASA-2014-0231

PYSEC-2014-19

USN-2212-1

Affected Products

Django

Ubuntu

PT-2014-4178 · Django Software Foundation+1 · Django+1

CVE-2014-1418

Weakness Enumeration

Related Identifiers

Affected Products

References · 28