CVE-2015-3982

Impact:
Moderate
Public Date:
2015-05-20
CWE:
CWE-613
Bugzilla:
1221526: CVE-2015-3982 django: incorrect session flushing in the cached_db backend

The MITRE CVE dictionary describes this issue as:

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

Find out more about CVE-2015-3982 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Not vulnerable. The 1.8 version of Django is not shipped in any Red Hat product.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 Django Not affected
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 python-django Not affected
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) python-django Not affected
Red Hat Enterprise Linux OpenStack Platform 4.0 Django14 Not affected

Acknowledgements

Red Hat would like to thank the upstream Django project for reporting this issue.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.