CVE-2014-1418 — Acceptance of Extraneous Untrusted Data With Trusted Data in Django

CWE-349 — Acceptance of Extraneous Untrusted Data With Trusted Data13 documents8 sources

Severity

6.4MEDIUMNVD

EPSS

0.5%

top 33.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Canonical Ubuntu Linux

Timeline

PublishedMay 16

Latest updateMay 17

Description

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.4 — 1.4.13+3

▶NVDdjangoproject/django26 versions+25

Also affects: Ubuntu Linux 10.04, 12.04, 12.10, 13.10, 14.04

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Vulnerable to Cache Poisoning↗2022-05-17

▶

GHSA

Django Vulnerable to Cache Poisoning↗2022-05-17

▶

OSV

CVE-2014-1418: Django 1↗2014-05-16

▶

CVEList

CVE-2014-1418: Django 1↗2014-05-16

▶

OSV

python-django vulnerabilities↗2014-05-15

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2014-05-15

▶

Red Hat

Django: cached data possibly served to the wrong session↗2014-05-14

▶

Debian

CVE-2014-1418: python-django - Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7...↗2014

▶

💬Community

Bugzilla

CVE-2014-1418 python-django14: various flaws [fedora-all]↗2014-05-14

▶

Bugzilla

CVE-2014-1418 python-django: various flaws [fedora-all]↗2014-05-14

▶

Bugzilla

CVE-2014-1418 Django: cached data possibly served to the wrong session↗2014-05-14

▶

Bugzilla

CVE-2014-1418 Django14: various flaws [epel-6]↗2014-05-14

▶