Описание
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
It was found that certain Django functions would, in certain circumstances, create empty sessions. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | python-django | Fixed | RHSA-2015:1766 | 10.09.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | python-django | Fixed | RHSA-2015:1767 | 10.09.2015 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-django | Fixed | RHSA-2015:1894 | 15.10.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS2
Связанные уязвимости
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.
The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache ...
Denial-of-service possibility in logout() view by filling session store
Уязвимость фреймворка для веб-приложений Django, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5 Medium
CVSS2