django 4.2.30

Direct Vulnerabilities

Known vulnerabilities in the django package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Use of Cache Containing Sensitive Information Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the `UpdateCacheMiddleware` function. An attacker can access sensitive cached data by making unauthenticated requests to endpoints that have previously been accessed with an `Authorization` header, due to the absence of the `Authorization` value in the `Vary` response header. How to fix Use of Cache Containing Sensitive Information? Upgrade `django` to version 5.2.15, 6.0.6 or higher.	[,5.2.15)[6.0a1,6.0.6)
L Incomplete Comparison with Missing Factors Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors in the `has_vary_header` function. An attacker can gain access to cached responses intended for other users by sending requests with whitespace-padded `Vary` header values. How to fix Incomplete Comparison with Missing Factors? Upgrade `django` to version 5.2.15, 6.0.6 or higher.	[,5.2.15)[6.0a1,6.0.6)
L Improper Verification of Cryptographic Signature Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the `get_signed_cookie` function. An attacker can access data intended for a different context by crafting distinct `(name, salt)` pairs that result in the same concatenated value. How to fix Improper Verification of Cryptographic Signature? Upgrade `django` to version 5.2.15, 6.0.6 or higher.	[,5.2.15)[6.0a1,6.0.6)
L Cleartext Transmission of Sensitive Information Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the `EmailBackend` function when a failed `STARTTLS` handshake occurs and `fail_silently=True` is set. An attacker can intercept and read email content by performing a man-in-the-middle attack on the network connection. How to fix Cleartext Transmission of Sensitive Information? Upgrade `django` to version 5.2.15, 6.0.6 or higher.	[,5.2.15)[6.0a1,6.0.6)
L Improper Handling of Case Sensitivity Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to improper handling of `Cache-Control` directives in `UpdateCacheMiddleware`. An attacker can gain unauthorized access to sensitive response data by sending requests with uppercase or mixed-case `Cache-Control` values, causing private data to be cached and subsequently served to other users. How to fix Improper Handling of Case Sensitivity? Upgrade `django` to version 5.2.15, 6.0.6 or higher.	[,5.2.15)[6.0a1,6.0.6)

Vulnerability

Vulnerable Version

Use of Cache Containing Sensitive Information

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the UpdateCacheMiddleware function. An attacker can access sensitive cached data by making unauthenticated requests to endpoints that have previously been accessed with an Authorization header, due to the absence of the Authorization value in the Vary response header.

How to fix Use of Cache Containing Sensitive Information?