CVE-2026-8404— UpdateCacheMiddleware缓存控制指令隐私数据泄露漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-8404の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
ソース: NVD (National Vulnerability Database)
脆弱性説明
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
大小写敏感处理不恰当
ソース: NVD (National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| djangoproject | Django | 6.0 ~ 6.0.6 | - |
II. CVE-2026-8404の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-8404のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-8404 厂商安全公告 (1)
- Archive of security issues | Django documentation | Djangovendor-advisory
CVE-2026-8404 邮件列表归档 (1)
- django-announce - Google Groupsmailing-list
CVE-2026-8404 安全博客文章 (1)
Same Patch Batch · djangoproject · 2026-06-03 · 7 CVEs total
| CVE-2026-44545 | 5.3 MEDIUM | Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of ser |
| CVE-2026-44546 | 3.7 LOW | Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofi |
| CVE-2026-7666 | 3.1 LOW | Potential unencrypted email transmission via STARTTLS in the SMTP backend |
| CVE-2026-48587 | 3.1 LOW | Potential exposure of private data via whitespace padding in Vary header |
| CVE-2026-35193 | 3.1 LOW | Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddlewar |
| CVE-2026-6873 | 3.1 LOW | Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie |
IV. 関連脆弱性
同じ製品: Django
- CVE-2026-48587
Potential exposure of private data via whitespace padding in - CVE-2026-35193
Potential exposure of private data via missing Vary: Authori - CVE-2026-7666
Potential unencrypted email transmission via STARTTLS in the - CVE-2026-6873
Signed cookie salt namespace collision in django.http.HttpRe - CVE-2026-35192
Session fixation via public cached pages and SESSION_SAVE_EV
同じベンダー: djangoproject
- CVE-2026-44546
Header injection via WebSocket upgrade parser differential a - CVE-2026-44545
Unbounded WebSocket message and frame sizes can cause unauth - CVE-2026-48587
Potential exposure of private data via whitespace padding in - CVE-2026-35193
Potential exposure of private data via missing Vary: Authori - CVE-2026-7666
Potential unencrypted email transmission via STARTTLS in the
同じ弱点: CWE-178
- CVE-2026-53721
Nuxt: Route-rule middleware bypass via case-sensitivity mism - CVE-2026-47346
TYPO3 CMS - Broken Access Control in Form Framework - CVE-2026-46392
HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch i - CVE-2026-48595
Authorization header leaks to third-party origin on cross-or - CVE-2026-44367
Klaw: user lockout due to case sensitivity inconsistency
V. CVE-2026-8404へのコメント
まだコメントはありません