CVE-2015-3982 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=1.8a1 <1.8.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00322 pctl0.54584

Details

Django allows user sessions hijacking via an empty string in the session key The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

Metadata

Created: 2022-05-17T03:29:56Z
Modified: 2024-09-17T15:10:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6wgp-fwfm-mxp3/GHSA-6wgp-fwfm-mxp3.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-6wgp-fwfm-mxp3
Finding: F280
Auto approve: 1