PT-2015-5702 · Python+2 · Requests+2

Matthew Daley

Published

2015-03-16

Updated

2024-06-15

CVE-2015-2296

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions requests versions 2.1.0 through 2.5.3

Description The issue allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. This is due to a problem in the resolve redirects function in sessions.py.

Recommendations For requests versions 2.1.0 through 2.5.3, consider updating to a version where this issue is fixed, as the current version allows session fixation attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2015-2296

GHSA-PG2W-X9WP-VW92

MGASA-2015-0120

OPENSUSE-SU-2024:10098-1

OPENSUSE-SU-2024:10125-1

OPENSUSE-SU-2024:11251-1

OPENSUSE-SU-2024:11266-1

OPENSUSE-SU-2024:11281-1

OPENSUSE-SU-2024:13916-1

OPENSUSE-SU-2024:13999-1

PYSEC-2015-17

SUSE-FU-2021:2130-1

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-RU-2019:2505-1

SUSE-SU-2015:2156-1

SUSE-SU-2016:0114-1

SUSE-SU-2016_0114-1

SUSE-SU-2020:1792-1

SUSE-SU-2020_1792-1

USN-2531-1

Affected Products

Suse

Ubuntu

Requests

PT-2015-5702 · Python+2 · Requests+2

CVE-2015-2296

Related Identifiers

Affected Products

References · 66