5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.024 Low
EPSS
Percentile
88.3%
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don’t Repeat Yourself) principle.
It was found that Django incorrectly handled the session store. A session
could be created by anonymously accessing the
django.contrib.auth.views.logout view if it was not decorated correctly
with django.contrib.auth.decorators.login_required. A remote attacker could
use this flaw to fill up the session store or cause other users’ session
records to be evicted by requesting a large number of new sessions.
(CVE-2015-5963)
It was found that certain Django functions would, in certain circumstances,
create empty sessions. A remote attacker could use this flaw to fill up the
session store or cause other users’ session records to be evicted by
requesting a large number of new sessions. (CVE-2015-5964)
Red Hat would like to thank the upstream Django project for reporting these
issues. Upstream acknowledges Lin Hua Cheng as the original reporter of
CVE-2015-5964.
All python-django users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 7 | noarch | python-django-bash-completion | < 1.6.11-3.el7ost | python-django-bash-completion-1.6.11-3.el7ost.noarch.rpm |
RedHat | 7 | noarch | python-django-doc | < 1.6.11-3.el7ost | python-django-doc-1.6.11-3.el7ost.noarch.rpm |
RedHat | 7 | noarch | python-django | < 1.6.11-3.el7ost | python-django-1.6.11-3.el7ost.noarch.rpm |