CVE-2014-0473 — Sensitive Information Exposure in Django

CWE-264 CWE-200 — Sensitive Information Exposure CWE-352 — Cross-Site Request Forgery12 documents8 sources

Severity

5.0MEDIUMNVD

OSV5.1

EPSS

0.3%

top 46.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Canonical Ubuntu Linux

Timeline

PublishedApr 23

Latest updateMay 17

Description

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.5 — 1.5.6+2

▶NVDdjangoproject/django1.4.10+20

Also affects: Ubuntu Linux 10.04, 12.04, 12.10, 13.10, 14.04

🔴Vulnerability Details

GHSA

Django Reuses Cached CSRF Token↗2022-05-17

▶

OSV

Django Reuses Cached CSRF Token↗2022-05-17

▶

CVEList

CVE-2014-0473: The caching framework in Django before 1↗2014-04-23

▶

OSV

CVE-2014-0473: The caching framework in Django before 1↗2014-04-23

▶

OSV

python-django regression↗2014-04-23

▶

📋Vendor Advisories

Ubuntu

Django regression↗2014-04-23

▶

Ubuntu

Django vulnerabilities↗2014-04-22

▶

Red Hat

python-django: caching of anonymous pages could reveal CSRF token↗2014-04-21

▶

Debian

CVE-2014-0473: python-django - The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before ...↗2014

▶

💬Community

Bugzilla

CVE-2014-0473 python-django: caching of anonymous pages could reveal CSRF token↗2014-04-23

▶