From f958ccaf21eb3430d9d32a3433098eb005dc748d Mon Sep 17 00:00:00 2001 From: Craig Gurnik <720008+cgurnik@users.noreply.github.com> Date: Tue, 7 Jul 2026 15:52:12 -0400 Subject: [PATCH] Improve GHSA-qpc8-7fxc-cm4p --- .../GHSA-qpc8-7fxc-cm4p.json | 48 ++++++++++++++++--- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/advisories/unreviewed/2026/06/GHSA-qpc8-7fxc-cm4p/GHSA-qpc8-7fxc-cm4p.json b/advisories/unreviewed/2026/06/GHSA-qpc8-7fxc-cm4p/GHSA-qpc8-7fxc-cm4p.json index 33939e2c398ca..93cead97e70f9 100644 --- a/advisories/unreviewed/2026/06/GHSA-qpc8-7fxc-cm4p/GHSA-qpc8-7fxc-cm4p.json +++ b/advisories/unreviewed/2026/06/GHSA-qpc8-7fxc-cm4p/GHSA-qpc8-7fxc-cm4p.json @@ -1,23 +1,59 @@ { "schema_version": "1.4.0", "id": "GHSA-qpc8-7fxc-cm4p", - "modified": "2026-06-03T15:30:43Z", + "modified": "2026-06-03T15:30:54Z", "published": "2026-06-03T15:30:42Z", "aliases": [ "CVE-2026-35193" ], + "summary": "Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware", "details": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue.", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.2" + }, + { + "fixed": "5.2.15" + } + ] + } + ] }, { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "PyPI", + "name": "Django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "6.0" + }, + { + "fixed": "6.0.6" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",