Miggo Logo

CVE-2015-5964: Denial-of-service possibility in logout() view by filling session store

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.91329%
CWE
-
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 1.7, < 1.7.101.7.10
Djangopip>= 1.4, < 1.4.221.4.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the flush() methods creating new empty sessions after clearing session data. The GitHub commit diff shows both functions were modified to remove the 'self.create()' call and instead set '_session_key = None', explicitly preventing empty session creation. The CVE description, commit message, and patch context all confirm these functions were the root cause. The SessionMiddleware changes (to avoid creating empty sessions) complement the fix but are not the primary vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** (*) `*ontri*.s*ssions.***k*n*s.**s*.S*ssion**s*.*lus*` *n* (*) `*****_**.S*ssionStor*.*lus*` *un*tions in *j*n*o *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *n* possi*ly ot**r v*rsions *r**t* *mpty s*ssions in **rt*in *ir*umst*n**s, w*i** *llows r*

Reasoning

T** vuln*r**ility st*ms *rom t** *lus*() m*t*o*s *r**tin* n*w *mpty s*ssions **t*r *l**rin* s*ssion **t*. T** *it*u* *ommit *i** s*ows *ot* *un*tions w*r* mo*i*i** to r*mov* t** 's*l*.*r**t*()' **ll *n* inst*** s*t '_s*ssion_k*y = Non*', *xpli*itly p