usn-2212-1
Vulnerability from osv_ubuntu
Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7. (CVE-2014-1418)
Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. An attacker may use this to cause unexpected redirects. An update has been provided for 12.04 LTS, 12.10, 13.10, and 14.04 LTS; this issue remains unfixed for 10.04 LTS as no "is_safe_url()" functionality existed in this version.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2014-1418",
"severity": [
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:14.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "python-django",
"binary_version": "1.6.1-2ubuntu0.3"
}
]
},
"package": {
"ecosystem": "Ubuntu:14.04:LTS",
"name": "python-django",
"purl": "pkg:deb/ubuntu/python-django@1.6.1-2ubuntu0.3?arch=source\u0026distro=trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1-2ubuntu0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.4-1ubuntu1",
"1.6-1",
"1.6.1-1",
"1.6.1-2",
"1.6.1-2ubuntu0.1",
"1.6.1-2ubuntu0.2"
]
}
],
"aliases": [],
"details": "Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby\ndiscovered that Django improperly removed Vary and Cache-Control headers\nfrom HTTP responses when replying to a request from an Internet Explorer\nor Chrome Frame client. An attacker may use this to retrieve private data\nor poison caches. This update removes workarounds for bugs in Internet\nExplorer 6 and 7. (CVE-2014-1418)\n\nPeter Kuma and Gavin Wahl discovered that Django did not correctly\nvalidate some malformed URLs, which are accepted by some browsers. An\nattacker may use this to cause unexpected redirects. An update has been\nprovided for 12.04 LTS, 12.10, 13.10, and 14.04 LTS; this issue remains\nunfixed for 10.04 LTS as no \"is_safe_url()\" functionality existed in\nthis version.\n",
"id": "USN-2212-1",
"modified": "2026-02-10T04:40:48Z",
"published": "2014-05-15T01:26:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-2212-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2014-1418"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "python-django vulnerabilities",
"upstream": [
"UBUNTU-CVE-2014-1418"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.