CVE-2015-2296
EPSS 1.1%Python Requests Session Fixation
Published: 5/13/2022Modified: 4/28/2026
Description
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Affected packages (3)
- Debian/requestsfrom 0, < 2.4.3-6
- PyPI/requests>= 2.1.0, < 2.6.0
- PyPI/requestsfrom 0, < 3bd8afbff29e50b38f889b2f688785a669b9aafc | >= 2.1.0, < 2.6.0
References (14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-2296
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-2296
- PATCHhttps://github.com/psf/requests
- WEBhttp://advisories.mageia.org/MGASA-2015-0120.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
- WEBhttps://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
- WEBhttps://github.com/psf/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2015-17.yaml
- WEBhttps://warehouse.python.org/project/requests/2.6.0
- WEBhttps://warehouse.python.org/project/requests/2.6.0/
- WEBhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:133
- WEBhttp://www.openwall.com/lists/oss-security/2015/03/14/4
- WEBhttp://www.openwall.com/lists/oss-security/2015/03/15/1
- WEBhttp://www.ubuntu.com/usn/USN-2531-1