CVE-2015-2296 — Sensitive Info Insertion into Sent Data in Requests

CWE-201 — Sensitive Info Insertion into Sent Data12 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

1.1%

top 21.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Requests Canonical Ubuntu Linux Mageia Project Mageia

Timeline

PublishedMar 18

Latest updateMay 13

Description

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶PyPIpython/requests2.1.0 — 2.6.0

▶Debianpython/requests< 2.4.3-6+3

▶NVDpython/requests11 versions+10

▶NVDmageia_project/mageia4.0

Also affects: Ubuntu Linux 14.04, 14.10

🔴Vulnerability Details

GHSA

Python Requests Session Fixation↗2022-05-13

▶

OSV

Python Requests Session Fixation↗2022-05-13

▶

OSV

CVE-2015-2296: The resolve_redirects function in sessions↗2015-03-18

▶

CVEList

CVE-2015-2296: The resolve_redirects function in sessions↗2015-03-18

▶

📋Vendor Advisories

Ubuntu

Requests vulnerability↗2015-03-16

▶

Red Hat

python-requests: session fixation and cookie stealing vulnerability↗2015-03-14

▶

Debian

CVE-2015-2296: requests - The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 al...↗2015

▶

💬Community

Bugzilla

CVE-2015-2296 python-virtualenv: python-requests: session fixation and cookie stealing vulnerability [epel-6]↗2019-11-29

▶

Bugzilla

CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses↗2015-03-24

▶

Bugzilla

CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability [fedora-21]↗2015-03-17

▶

Bugzilla

CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability↗2015-03-17

▶