Lucene search

[email protected]CVE-2014-1418

HistoryMay 16, 2014 - 3:55 p.m.

CVE-2014-1418

2014-05-1615:55:04

[email protected]

web.nvd.nist.gov

cve-2014-1418

django

information security

vulnerability

cache poisoning

remote attack

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

5.8 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.3%

JSON

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

Affected configurations

NVD

Node

djangoprojectdjangoMatch1.7beta1

djangoprojectdjangoMatch1.7beta2

djangoprojectdjangoMatch1.7beta3

Node

djangoprojectdjangoMatch1.4

djangoprojectdjangoMatch1.4.1

djangoprojectdjangoMatch1.4.2

djangoprojectdjangoMatch1.4.4

djangoprojectdjangoMatch1.4.5

djangoprojectdjangoMatch1.4.6

djangoprojectdjangoMatch1.4.7

djangoprojectdjangoMatch1.4.8

djangoprojectdjangoMatch1.4.9

djangoprojectdjangoMatch1.4.10

djangoprojectdjangoMatch1.4.11

djangoprojectdjangoMatch1.4.12

Node

djangoprojectdjangoMatch1.5

djangoprojectdjangoMatch1.5alpha

djangoprojectdjangoMatch1.5beta

djangoprojectdjangoMatch1.5.1

djangoprojectdjangoMatch1.5.2

djangoprojectdjangoMatch1.5.3

djangoprojectdjangoMatch1.5.4

djangoprojectdjangoMatch1.5.5

djangoprojectdjangoMatch1.5.6

djangoprojectdjangoMatch1.5.7

Node

canonicalubuntu_linuxMatch10.04-lts

canonicalubuntu_linuxMatch12.04-lts

canonicalubuntu_linuxMatch12.10

canonicalubuntu_linuxMatch13.10

canonicalubuntu_linuxMatch14.04lts

Node

djangoprojectdjangoMatch1.6-

djangoprojectdjangoMatch1.6beta1

djangoprojectdjangoMatch1.6beta2

djangoprojectdjangoMatch1.6beta3

djangoprojectdjangoMatch1.6beta4

djangoprojectdjangoMatch1.6.1

djangoprojectdjangoMatch1.6.2

djangoprojectdjangoMatch1.6.3

djangoprojectdjangoMatch1.6.4

CPENameOperatorVersion
djangoproject:djangodjangoproject djangoeq1.7

CPE	Name	Operator	Version
djangoproject:django	djangoproject django	eq	1.7

References

lists.opensuse.org/opensuse-updates/2014-09/msg00023.html

secunia.com/advisories/61281

ubuntu.com/usn/usn-2212-1

www.debian.org/security/2014/dsa-2934

www.openwall.com/lists/oss-security/2014/05/14/10

www.openwall.com/lists/oss-security/2014/05/15/3

www.djangoproject.com/weblog/2014/may/14/security-releases-issued/

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

5.8 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.3%

JSON

Related for CVE-2014-1418

ubuntu1 gitlab1 securityvulns3 prion1 nessus9 osv3 nvd1 github1 openvas17 cvelist1 debiancve1 ubuntucve1 fedora12 mageia1 ibm1 gentoo1 debian2