CVE-2015-5964: Denial-of-service possibility in logout() view by filling session store
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91329%
CWE
-
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Django | pip | >= 1.7, < 1.7.10 | 1.7.10 |
Django | pip | >= 1.4, < 1.4.22 | 1.4.22 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the flush() methods creating new empty sessions after clearing session data. The GitHub commit diff shows both functions were modified to remove the 'self.create()' call and instead set '_session_key = None', explicitly preventing empty session creation. The CVE description, commit message, and patch context all confirm these functions were the root cause. The SessionMiddleware changes (to avoid creating empty sessions) complement the fix but are not the primary vulnerable functions.