CVE-2015-3982

Published: Jun 2, 2015Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

Affected (2)

Products: Djangoproject: Django

Djangoproject

1 product

Django

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Djangoproject Django	Version 1.8.0
Djangoproject Django	Version 1.8.1

References (4)

http://www.securityfocus.com/bid/74960

Source: cve@mitre.org

https://www.djangoproject.com/weblog/2015/may/20/security-release/

Source: cve@mitre.org

PatchVendor Advisory

http://www.securityfocus.com/bid/74960

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.djangoproject.com/weblog/2015/may/20/security-release/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.