CVE-2015-5964Allocation of Resources Without Limits or Throttling in Django

CWE-399CWE-770Allocation of Resources Without Limits or Throttling10 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
4.4%
top 11.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Djangoproject DjangoCanonical Ubuntu LinuxOracle Solaris
Timeline
PublishedAug 24
Latest updateMay 17

Description

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

PyPIdjangoproject/django1.71.7.10+1
NVDdjangoproject/django33 versions+32
NVDoracle/solaris11.3

Also affects: Ubuntu Linux 12.04, 14.04, 15.04

Patches

Patch: www.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

4
GHSA
Denial-of-service possibility in logout() view by filling session store2022-05-17
OSV
Denial-of-service possibility in logout() view by filling session store2022-05-17
CVEList
CVE-2015-5964: The (1) contrib2015-08-24
OSV
CVE-2015-5964: The (1) contrib2015-08-24

📋Vendor Advisories

3
Red Hat
python-django: Denial-of-service possibility in logout() view by filling session store2015-08-18
Ubuntu
Django vulnerability2015-08-18
Debian
CVE-2015-5964: python-django - The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.Sessio...2015

💬Community

2
Bugzilla
CVE-2015-5964 python-django: Denial-of-service possibility in logout() view by filling session store [fedora-all]2015-08-19
Bugzilla
CVE-2015-5964 python-django: Denial-of-service possibility in logout() view by filling session store2015-08-12
CVE-2015-5964 — Djangoproject Django vulnerability | cvebase