github
/
advisory-database
зеркало из https://github.com/github/advisory-database.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Publish GHSA-89hj-xfx5-7q66

This commit is contained in:
advisory-database[bot] 2024-09-18 20:04:05 +00:00
Родитель 3790751d42
Коммит 5b5990f5fa
1 изменённых файлов: 19 добавлений и 8 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

27
advisories/github-reviewed/2022/05/GHSA-89hj-xfx5-7q66/GHSA-89hj-xfx5-7q66.json
Просмотреть файл

@ -1,7 +1,7 @@
{ {
"schema_version": "1.4.0", "schema_version": "1.4.0",
"id": "GHSA-89hj-xfx5-7q66", "id": "GHSA-89hj-xfx5-7q66",
"modified": "2024-05-16T18:23:40Z", "modified": "2024-09-18T20:01:44Z",
"published": "2022-05-17T03:07:04Z", "published": "2022-05-17T03:07:04Z",
"aliases": [ "aliases": [
"CVE-2014-0473" "CVE-2014-0473"
@ -9,13 +9,20 @@
"summary": "Django Reuses Cached CSRF Token", "summary": "Django Reuses Cached CSRF Token",
"details": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.", "details": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
"severity": [ "severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
}
], ],
"affected": [ "affected": [
{ {
"package": { "package": {
"ecosystem": "PyPI", "ecosystem": "PyPI",
"name": "django" "name": "Django"
}, },
"ranges": [ "ranges": [
{ {
@ -34,14 +41,14 @@
{ {
"package": { "package": {
"ecosystem": "PyPI", "ecosystem": "PyPI",
"name": "django" "name": "Django"
}, },
"ranges": [ "ranges": [
{ {
"type": "ECOSYSTEM", "type": "ECOSYSTEM",
"events": [ "events": [
{ {
"introduced": "1.5.0" "introduced": "1.5"
}, },
{ {
"fixed": "1.5.6" "fixed": "1.5.6"
@ -53,14 +60,14 @@
{ {
"package": { "package": {
"ecosystem": "PyPI", "ecosystem": "PyPI",
"name": "django" "name": "Django"
}, },
"ranges": [ "ranges": [
{ {
"type": "ECOSYSTEM", "type": "ECOSYSTEM",
"events": [ "events": [
{ {
"introduced": "1.6.0" "introduced": "1.6"
}, },
{ {
"fixed": "1.6.3" "fixed": "1.6.3"
@ -91,6 +98,10 @@
"type": "PACKAGE", "type": "PACKAGE",
"url": "https://github.com/django/django" "url": "https://github.com/django/django"
}, },
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-2.yaml"
},
{ {
"type": "WEB", "type": "WEB",
"url": "https://www.djangoproject.com/weblog/2014/apr/21/security" "url": "https://www.djangoproject.com/weblog/2014/apr/21/security"
@ -120,7 +131,7 @@
"cwe_ids": [ "cwe_ids": [
"CWE-200" "CWE-200"
], ],
"severity": "MODERATE", "severity": "HIGH",
"github_reviewed": true, "github_reviewed": true,
"github_reviewed_at": "2023-08-16T22:56:38Z", "github_reviewed_at": "2023-08-16T22:56:38Z",
"nvd_published_at": "2014-04-23T15:55:00Z" "nvd_published_at": "2014-04-23T15:55:00Z"