CVE-2015-3982 — Session Fixation in Django

CWE-384 — Session Fixation CWE-613 — Insufficient Session Expiration8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 54.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJun 2

Latest updateMay 17

Description

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.8a1 — 1.8.2+1

▶NVDdjangoproject/django1.8.0, 1.8.1+1

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Django allows user sessions hijacking via an empty string in the session key↗2022-05-17

▶

OSV

Django allows user sessions hijacking via an empty string in the session key↗2022-05-17

▶

OSV

CVE-2015-3982: The session↗2015-06-02

▶

CVEList

CVE-2015-3982: The session↗2015-06-02

▶

📋Vendor Advisories

Red Hat

django: incorrect session flushing in the cached_db backend↗2015-05-20

▶

Debian

CVE-2015-3982: python-django - The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2...↗2015

▶

💬Community

Bugzilla

CVE-2015-3982 django: incorrect session flushing in the cached_db backend↗2015-05-14

▶