Django allows user sessions hijacking via an empty string in the session key

GHSA-6wgp-fwfm-mxp3 · CVE-2015-3982 · PYSEC-2015-19

Published May 17, 2022 · Modified Sep 17, 2024

Description

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-3982
WEB https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-19.yaml
WEB https://web.archive.org/web/20200228092138/http://www.securityfocus.com/bid/74960
WEB https://www.djangoproject.com/weblog/2015/may/20/security-release

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes