Django Vulnerable to Cache Poisoning
Critical severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 1.4, < 1.4.13
>= 1.5, < 1.5.8
>= 1.6, < 1.6.5
>= 1.7a1, < 1.7b4
Patched versions
1.4.13
1.5.8
1.6.5
1.7b4
Description
Published by the National Vulnerability Database
May 16, 2014
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Aug 16, 2023
Last updated
Nov 18, 2024
Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.
References