Publish GHSA-89hj-xfx5-7q66

2024-09-18 20:04:05 +00:00 · 2024-09-18 20:04:05 +00:00 · 5b5990f5fa
--- a/advisories/github-reviewed/2022/05/GHSA-89hj-xfx5-7q66/GHSA-89hj-xfx5-7q66.json
+++ b/advisories/github-reviewed/2022/05/GHSA-89hj-xfx5-7q66/GHSA-89hj-xfx5-7q66.json
@ -1,7 +1,7 @@
 {
  "schema_version": "1.4.0",
  "id": "GHSA-89hj-xfx5-7q66",
-  "modified": "2024-05-16T18:23:40Z",
+  "modified": "2024-09-18T20:01:44Z",
  "published": "2022-05-17T03:07:04Z",
  "aliases": [
    "CVE-2014-0473"
@ -9,13 +9,20 @@
  "summary": "Django Reuses Cached CSRF Token",
  "details": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
  "severity": [
-
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
      },
      "ranges": [
        {
@ -34,14 +41,14 @@
    {
      "package": {
        "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
-              "introduced": "1.5.0"
+              "introduced": "1.5"
            },
            {
              "fixed": "1.5.6"
@ -53,14 +60,14 @@
    {
      "package": {
        "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
-              "introduced": "1.6.0"
+              "introduced": "1.6"
            },
            {
              "fixed": "1.6.3"
@ -91,6 +98,10 @@
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-2.yaml"
+    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2014/apr/21/security"
@ -120,7 +131,7 @@
    "cwe_ids": [
      "CWE-200"
    ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T22:56:38Z",
    "nvd_published_at": "2014-04-23T15:55:00Z"