Impact
The issue lies in Django's caching middleware and decorator, which incorrectly cache responses that vary based on cookies when the request contains unrelated cookies. This behavior allows an attacker to read private data from a shared cache, resulting in information disclosure. The weakness is CWE-524, relating to incorrect handling of sensitive information.
Affected Systems
Affected versions are Django 6.0 prior to 6.0.7 and Django 5.2 prior to 5.2.16. Earlier series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated and may also be vulnerable. The vulnerable component is the UpdateCacheMiddleware and the cache_page decorator that store cookie‑varying content in the cache.
Risk and Exploitability
The CVSS score of 2.3 denotes a low severity vulnerability. No EPSS score is available, and the issue is not listed in CISA's KEV catalog. Exploitation requires an attacker to send a request with unrelated cookies to a Django application using the affected middleware or decorator, causing the server to cache the response. The attacker can then retrieve cached content at a later time to read private data.
OpenCVE Enrichment