CVE-2015-2296 - The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attacker

CVE-2015-2296

Summary

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. <a href="http://cwe.mitre.org/data/definitions/384.html">CWE-384: Session Fixation</a>

References

Vulnerable Configurations

cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 18-03-2021 - 13:19)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

confirm	http://advisories.mageia.org/MGASA-2015-0120.html https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc https://warehouse.python.org/project/requests/2.6.0/
fedora	FEDORA-2015-4084
mandriva	MDVSA-2015:133
mlist	[oss-security] 20150314 CVE Request for python-requests session fixation vulnerability [oss-security] 20150314 Re: CVE Request for python-requests session fixation vulnerability
ubuntu	USN-2531-1

Last major update

18-03-2021 - 13:19

Published

18-03-2015 - 16:59

Last modified

18-03-2021 - 13:19