PT-2015-1974 · Django Software Foundation+2 · Django+2
Lin Hua Cheng
·
Publicado
2015-08-18
·
Atualizado
2026-01-03
·
CVE-2015-5963
CVSS v4.0
6.6
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
Django versions 1.4.x through 1.4.21
Django versions 1.7.x through 1.7.9
Django versions 1.8.x through 1.8.3
Description
The issue is related to a resource management error in the contrib.sessions.middleware.SessionMiddleware component of the Django web application framework. It allows remote attackers to cause a denial of service by consuming session store resources or removing session records. This can be achieved by sending a large number of requests to the contrib.auth.views.logout endpoint, which triggers the creation of an empty session record.
Recommendations
For Django versions 1.4.x through 1.4.21, update to version 1.4.22 or later.
For Django versions 1.7.x through 1.7.9, update to version 1.7.10 or later.
For Django versions 1.8.x through 1.8.3, update to version 1.8.4 or later.
As a temporary workaround, consider restricting access to the contrib.auth.views.logout endpoint to minimize the risk of exploitation.
Correção
DoS
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Django
Ubuntu