CVE-2015-3982
published 2015-06-02CVE-2015-3982: The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
1.75%
75.0th percentile
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.8 < 1.8.2 | 1.8.2 |
| djangoproject | django | >= 1.8a1 < 1.8.2 | 1.8.2 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django allows user sessions hijacking via an empty string in the session key
ghsa·2022-05-17
CVE-2015-3982 [MEDIUM] CWE-384 Django allows user sessions hijacking via an empty string in the session key
Django allows user sessions hijacking via an empty string in the session key
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
OSV
Django allows user sessions hijacking via an empty string in the session key
osv·2022-05-17
CVE-2015-3982 [MEDIUM] Django allows user sessions hijacking via an empty string in the session key
Django allows user sessions hijacking via an empty string in the session key
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
OSV
CVE-2015-3982: The session
osv·2015-06-02
CVE-2015-3982 CVE-2015-3982: The session
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
Red Hat
django: incorrect session flushing in the cached_db backend
vendor_redhat·2015-05-20·CVSS 5.0
CVE-2015-3982 [MEDIUM] CWE-613 django: incorrect session flushing in the cached_db backend
django: incorrect session flushing in the cached_db backend
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
Statement: Not vulnerable. The 1.8 version of Django is not shipped in any Red Hat product.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: Django14 (Red Hat OpenStack Platform 4) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Debian
CVE-2015-3982: python-django - The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2...
vendor_debian·2015·CVSS 5.0
CVE-2015-3982 [MEDIUM] CVE-2015-3982: python-django - The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2...
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
2015-06-02
Published