From 5c1cf341128e1ef4b45b3a5d8cc3263e05eb15b1 Mon Sep 17 00:00:00 2001 From: Craig Gurnik <720008+cgurnik@users.noreply.github.com> Date: Tue, 7 Jul 2026 15:50:33 -0400 Subject: [PATCH] Improve GHSA-8cjm-8mp7-r2xf --- .../GHSA-8cjm-8mp7-r2xf.json | 48 ++++++++++++++++--- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/advisories/unreviewed/2026/06/GHSA-8cjm-8mp7-r2xf/GHSA-8cjm-8mp7-r2xf.json b/advisories/unreviewed/2026/06/GHSA-8cjm-8mp7-r2xf/GHSA-8cjm-8mp7-r2xf.json index 18ad879fb9e45..23f31da141df0 100644 --- a/advisories/unreviewed/2026/06/GHSA-8cjm-8mp7-r2xf/GHSA-8cjm-8mp7-r2xf.json +++ b/advisories/unreviewed/2026/06/GHSA-8cjm-8mp7-r2xf/GHSA-8cjm-8mp7-r2xf.json @@ -1,23 +1,59 @@ { "schema_version": "1.4.0", "id": "GHSA-8cjm-8mp7-r2xf", - "modified": "2026-06-03T15:30:43Z", + "modified": "2026-06-03T15:30:54Z", "published": "2026-06-03T15:30:43Z", "aliases": [ "CVE-2026-8404" ], + "summary": "Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware", "details": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue.", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2" + }, + { + "fixed": "5.2.15" + } + ] + } + ] }, { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0" + }, + { + "fixed": "6.0.6" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",