CVE-2015-3982
HIGH7.5EPSS 0.22%Django allows user sessions hijacking via an empty string in the session key
發布日:2022/5/17修改日:2024/9/17
描述
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
受影響套件(2)
- PyPI/django>= 1.8a1, < 1.8.2
- PyPI/django>= 1.8, < 1.8.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-3982
- ADVISORYhttps://www.djangoproject.com/weblog/2015/may/20/security-release/
- PATCHhttps://github.com/django/django
- WEBhttps://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-19.yaml
- WEBhttps://web.archive.org/web/20200228092138/http://www.securityfocus.com/bid/74960
- WEBhttps://www.djangoproject.com/weblog/2015/may/20/security-release
- WEBhttp://www.securityfocus.com/bid/74960