Miggo Logo
Miggo Vulnerability Database
CVE-2015-3982

CVE-2015-3982: Django allows user sessions hijacking via an empty string in the session key

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-3982
GHSA ID
GHSA-6wgp-fwfm-mxp3
EPSS Score
0.54632%
CWE
CWE-384
Published
5/17/2022
Updated
9/17/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 1.8a1, < 1.8.21.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the session.flush() implementation in the cached_db backend. The commit diff shows the critical line change from setting _session_key to '' (vulnerable) to None (fixed). This incorrect key handling during session flushing allowed cookie collisions. The security advisory explicitly identifies this function as the root cause, and the patch confirms the fix occurs in this specific method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s*ssion.*lus* *un*tion in t** ******_** ***k*n* in *j*n*o *.*.x ***or* *.*.* *o*s not prop*rly *lus* t** s*ssion, w*i** *llows r*mot* *tt**k*rs to *ij**k us*r s*ssions vi* *n *mpty strin* in t** s*ssion k*y.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** s*ssion.*lus*() impl*m*nt*tion in t** ******_** ***k*n*. T** *ommit *i** s*ows t** *riti**l lin* ***n** *rom s*ttin* _s*ssion_k*y to '' (vuln*r**l*) to Non* (*ix**). T*is in*orr**t k*y **n*lin* *urin* s*ssion