CVE-2015-3982

2015-06-0214:59:10

Debian Security Bug Tracker

security-tracker.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

56.7%

JSON

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-django< 3:3.2.19-1+deb12u1python-django_3:3.2.19-1+deb12u1_all.deb
Debian11allpython-django< 2:2.2.28-1~deb11u2python-django_2:2.2.28-1~deb11u2_all.deb
Debian999allpython-django< 3:4.2.13-1python-django_3:4.2.13-1_all.deb
Debian13allpython-django< 3:4.2.13-1python-django_3:4.2.13-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-django	< 3:3.2.19-1+deb12u1	python-django_3:3.2.19-1+deb12u1_all.deb
Debian	11	all	python-django	< 2:2.2.28-1~deb11u2	python-django_2:2.2.28-1~deb11u2_all.deb
Debian	999	all	python-django	< 3:4.2.13-1	python-django_3:4.2.13-1_all.deb
Debian	13	all	python-django	< 3:4.2.13-1	python-django_3:4.2.13-1_all.deb