Lucene search

DebianCVE-2014-0473

HistoryApr 23, 2014 - 3:55 p.m.

CVE-2014-0473

2014-04-2315:55:03

CWE-264

debian

web.nvd.nist.gov

django

caching framework

csrf

bypass

nvd

cve-2014-0473

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

0.005

Percentile

76.8%

JSON

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

Affected configurations

Nvd

Node

djangoprojectdjangoMatch1.5

djangoprojectdjangoMatch1.5.1

djangoprojectdjangoMatch1.5.2

djangoprojectdjangoMatch1.5.3

djangoprojectdjangoMatch1.5.4

djangoprojectdjangoMatch1.5.5

Node

djangoprojectdjangoMatch1.6

djangoprojectdjangoMatch1.6.1

djangoprojectdjangoMatch1.6.2

Node

djangoprojectdjangoMatch1.7alpha1

djangoprojectdjangoMatch1.7alpha2

djangoprojectdjangoMatch1.7beta1

Node

djangoprojectdjangoRange≤1.4.10

djangoprojectdjangoMatch1.4

djangoprojectdjangoMatch1.4.1

djangoprojectdjangoMatch1.4.2

djangoprojectdjangoMatch1.4.3

djangoprojectdjangoMatch1.4.4

djangoprojectdjangoMatch1.4.5

djangoprojectdjangoMatch1.4.6

djangoprojectdjangoMatch1.4.7

djangoprojectdjangoMatch1.4.8

djangoprojectdjangoMatch1.4.9

Node

canonicalubuntu_linuxMatch10.04-lts

canonicalubuntu_linuxMatch12.04-lts

canonicalubuntu_linuxMatch12.10

canonicalubuntu_linuxMatch13.10

canonicalubuntu_linuxMatch14.04lts

VendorProductVersionCPE
djangoprojectdjango1.5cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
djangoprojectdjango1.5.1cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
djangoprojectdjango1.5.2cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
djangoprojectdjango1.5.3cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
djangoprojectdjango1.5.4cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
djangoprojectdjango1.5.5cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*
djangoprojectdjango1.6cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*
djangoprojectdjango1.6.1cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
djangoprojectdjango1.6.2cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
djangoprojectdjango1.7cpe:2.3:a:djangoproject:django:1.7:alpha1:*:*:*:*:*:*

Vendor	Product	Version	CPE
djangoproject	django	1.5	cpe:2.3:a:djangoproject:django:1.5:::::::*
djangoproject	django	1.5.1	cpe:2.3:a:djangoproject:django:1.5.1:::::::*
djangoproject	django	1.5.2	cpe:2.3:a:djangoproject:django:1.5.2:::::::*
djangoproject	django	1.5.3	cpe:2.3:a:djangoproject:django:1.5.3:::::::*
djangoproject	django	1.5.4	cpe:2.3:a:djangoproject:django:1.5.4:::::::*
djangoproject	django	1.5.5	cpe:2.3:a:djangoproject:django:1.5.5:::::::*
djangoproject	django	1.6	cpe:2.3:a:djangoproject:django:1.6:::::::*
djangoproject	django	1.6.1	cpe:2.3:a:djangoproject:django:1.6.1:::::::*
djangoproject	django	1.6.2	cpe:2.3:a:djangoproject:django:1.6.2:::::::*
djangoproject	django	1.7	cpe:2.3:a:djangoproject:django:1.7:alpha1::::::