Lin Hua Cheng

**Name of the Vulnerable Software and Affected Versions** Django versions 1.4.x through 1.4.21 Django versions 1.7.x through 1.7.9 Django versions 1.8.x through 1.8.3 **Description** The issue is related to a resource management error in the contrib.sessions.middleware.SessionMiddleware component of the Django web application framework. It allows remote attackers to cause a denial of service by consuming session store resources or removing session records. This can be achieved by sending a large number of requests to the contrib.auth.views.logout endpoint, which triggers the creation of an empty session record. **Recommendations** For Django versions 1.4.x through 1.4.21, update to version 1.4.22 or later. For Django versions 1.7.x through 1.7.9, update to version 1.7.10 or later. For Django versions 1.8.x through 1.8.3, update to version 1.8.4 or later. As a temporary workaround, consider restricting access to the contrib.auth.views.logout endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.4.x through 1.4.21 Django versions 1.7.x through 1.7.9 **Description** The issue is related to errors in resource management in the `contrib.sessions.backends.base.SessionBase.flush` and `cache db.SessionStore.flush` functions of the Django framework. This can be exploited by a remote attacker to cause a denial of service under certain conditions. The exploitation allows attackers to consume session store resources, leading to a denial of service. **Recommendations** For Django versions 1.4.x through 1.4.21, update to version 1.4.22 or later. For Django versions 1.7.x through 1.7.9, update to version 1.7.10 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.5.x through 1.6.x Django versions 1.7.x before 1.7.9 Django versions 1.8.x before 1.8.3 Django versions prior to 1.4.21 **Description** The issue is related to resource management errors in the Django web application platform. It can be exploited by a remote attacker to cause a denial of service by creating multiple requests with unique session keys, leading to session store consumption. **Recommendations** For Django versions 1.5.x through 1.6.x, update to a version outside of this range to resolve the issue. For Django versions 1.7.x before 1.7.9, update to version 1.7.9 or later. For Django versions 1.8.x before 1.8.3, update to version 1.8.3 or later. For Django versions prior to 1.4.21, update to version 1.4.21 or later.