CVE-2015-5143
published 2015-07-14CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of…
PriorityP335high7.8CVSS 2.0
AVNACLAuNCNINAC
EPSS
7.27%
93.6th percentile
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1.7.9-1 (bookworm) | python-django 1.7.9-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-07-09·CVSS 7.8
CVE-2015-5143 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled
session records. A remote attacker could use this issue to cause a denial
of service. (CVE-2015-5143)
Sjoerd Job Postmus discovered that DJango incorrectly handled newline
characters when performing validation. A remote attacker could use this
issue to perform header injection attacks. (CVE-2015-5144)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: possible DoS by filling session store
vendor_redhat·2015-07-08·CVSS 7.8
CVE-2015-5143 [HIGH] CWE-400 Django: possible DoS by filling session store
Django: possible DoS by filling session store
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Will not fix
Debian
CVE-2015-5143: python-django - The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before ...
vendor_debian·2015·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143: python-django - The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before ...
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Scope: local
bookworm: resolved (fixed in 1.7.9-1)
bullseye: resolved (fixed in 1.7.9-1)
forky: resolved (fixed in 1.7.9-1)
sid: resolved (fixed in 1.7.9-1)
trixie: resolved (fixed in 1.7.9-1)
GHSA
Django Denial-of-service by filling session store
ghsa·2019-07-05
CVE-2015-5143 [HIGH] CWE-770 Django Denial-of-service by filling session store
Django Denial-of-service by filling session store
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
OSV
Django Denial-of-service by filling session store
osv·2019-07-05
CVE-2015-5143 [HIGH] Django Denial-of-service by filling session store
Django Denial-of-service by filling session store
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
OSV
CVE-2015-5143: The session backends in Django before 1
osv·2015-07-14·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143: The session backends in Django before 1
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
OSV
python-django vulnerabilities
osv·2015-07-09·CVSS 7.8
CVE-2015-5143 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled
session records. A remote attacker could use this issue to cause a denial
of service. (CVE-2015-5143)
Sjoerd Job Postmus discovered that DJango incorrectly handled newline
characters when performing validation. A remote attacker could use this
issue to perform header injection attacks. (CVE-2015-5144)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5143 Django14: Django: possible DoS by filling session store [epel-6]
bugzilla·2015-07-14·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143 Django14: Django: possible DoS by filling session store [epel-6]
CVE-2015-5143 Django14: Django: possible DoS by filling session store [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for Django14: see blocks bug l
Bugzilla
CVE-2015-5143 python-django: Django: possible DoS by filling session store [fedora-all]
bugzilla·2015-07-14·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143 python-django: Django: possible DoS by filling session store [fedora-all]
CVE-2015-5143 python-django: Django: possible DoS by filling session store [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2015-5143 python-django: Django: possible DoS by filling session store [epel-7]
bugzilla·2015-07-14·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143 python-django: Django: possible DoS by filling session store [epel-7]
CVE-2015-5143 python-django: Django: possible DoS by filling session store [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for python-django: see bl
Bugzilla
CVE-2015-5143 Django: possible DoS by filling session store
bugzilla·2015-07-03·CVSS 7.8
CVE-2015-5143 [HIGH] CVE-2015-5143 Django: possible DoS by filling session store
CVE-2015-5143 Django: possible DoS by filling session store
The following flaw was found in Django:
In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.
The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a sess
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00046.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1678.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1686.htmlhttp://www.debian.org/security/2015/dsa-3305http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75666http://www.securitytracker.com/id/1032820http://www.ubuntu.com/usn/USN-2671-1https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00046.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1678.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1686.htmlhttp://www.debian.org/security/2015/dsa-3305http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75666http://www.securitytracker.com/id/1032820http://www.ubuntu.com/usn/USN-2671-1https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
2015-07-14
Published