CVE-2015-3982

EUVD-2015-0008
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
1.8.0
djangoprojectdjango
1.8.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
precise
not-affected
trusty
not-affected
utopic
not-affected
vivid
not-affected
References
http://www.securityfocus.com/bid/74960
https://www.djangoproject.com/weblog/2015/may/20/security-release/
http://www.securityfocus.com/bid/74960
https://www.djangoproject.com/weblog/2015/may/20/security-release/