CVE-2015-5143Allocation of Resources Without Limits or Throttling in Django

CWE-399CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption13 documents8 sources
Severity
7.8HIGHNVD
EPSS
15.8%
top 5.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Djangoproject DjangoCanonical Ubuntu LinuxDebian Linux+1 more
Timeline
PublishedJul 14
Latest updateJul 5

Description

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages3 packages

PyPIdjangoproject/django1.51.7.9+2
NVDdjangoproject/django38 versions+37
NVDoracle/solaris11.3

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 15.04, 15.10

Patches

Patch: www.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

5
GHSA
Django Denial-of-service by filling session store2019-07-05
OSV
Django Denial-of-service by filling session store2019-07-05
CVEList
CVE-2015-5143: The session backends in Django before 12015-07-14
OSV
CVE-2015-5143: The session backends in Django before 12015-07-14
OSV
python-django vulnerabilities2015-07-09

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2015-07-09
Red Hat
Django: possible DoS by filling session store2015-07-08
Debian
CVE-2015-5143: python-django - The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before ...2015

💬Community

4
Bugzilla
CVE-2015-5143 Django14: Django: possible DoS by filling session store [epel-6]2015-07-14
Bugzilla
CVE-2015-5143 python-django: Django: possible DoS by filling session store [fedora-all]2015-07-14
Bugzilla
CVE-2015-5143 python-django: Django: possible DoS by filling session store [epel-7]2015-07-14
Bugzilla
CVE-2015-5143 Django: possible DoS by filling session store2015-07-03
CVE-2015-5143 — Djangoproject Django vulnerability | cvebase