Denial Of Service (DoS) Session Store Consumption Or Session Record Removal

Django is vulnerable to denial of service through session store consumption or session record removal. This is caused in contrib.sessions.middleware.SessionMiddleware when a large number of requests are made to contrib.auth.views.logout, triggering the creation of empty session records, using up...

PYSEC-2015-23

The 1 contrib.sessions.backends.base.SessionBase.flush and 2 cachedb.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service session stor...

CVE-2015-5143

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service session store consumption via multiple requests with unique session keys...