Vulnerability Details : CVE-2015-2296
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Products affected by CVE-2015-2296
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2296
1.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2296
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2015-2296
-
http://www.openwall.com/lists/oss-security/2015/03/14/4
oss-security - CVE Request for python-requests session fixation vulnerability
-
https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
Don't ascribe cookies to the target domain. · psf/requests@3bd8afb · GitHub
-
https://warehouse.python.org/project/requests/2.6.0/
requests · PyPIVendor Advisory
-
http://www.openwall.com/lists/oss-security/2015/03/15/1
oss-security - Re: CVE Request for python-requests session fixation vulnerability
-
http://advisories.mageia.org/MGASA-2015-0120.html
Mageia Advisory: MGASA-2015-0120 - Updated python-requests packages fix security vulnerability
-
http://www.ubuntu.com/usn/USN-2531-1
USN-2531-1: Requests vulnerability | Ubuntu security notices
Jump to