{"id":"PYSEC-2014-2","details":"The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.","aliases":["CVE-2014-0473","GHSA-89hj-xfx5-7q66"],"modified":"2023-11-01T05:19:12.582363Z","published":"2014-04-23T15:55:00Z","references":[{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2014/apr/21/security/"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-2169-1"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-0457.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2014/dsa-2934"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2014-0456.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"},{"type":"ADVISORY","url":"http://secunia.com/advisories/61281"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.11"},{"introduced":"1.5"},{"fixed":"1.5.6"},{"introduced":"1.6"},{"fixed":"1.6.3"}]}],"versions":["1.0.1","1.0.2","1.0.3","1.0.4","1.1","1.1.1","1.1.2","1.1.3","1.1.4","1.2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.3","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.4","1.4.1","1.4.10","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","1.5","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.6","1.6.1","1.6.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2014-2.yaml"}}],"schema_version":"1.7.3"}