CVE-2015-3982

NameCVE-2015-3982
DescriptionThe session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)stretch1:1.10.7-2+deb9u9fixed
stretch (security)1:1.10.7-2+deb9u14fixed
buster, buster (security)1:1.11.29-1~deb10u1fixed
bookworm, bullseye2:2.2.24-1fixed
sid2:3.2.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)(not affected)

Notes

- python-django <not-affected> (Only affects 1.8 and development branch)
https://www.djangoproject.com/weblog/2015/may/20/security-release/

Search for package or bug name: Reporting problems