Lucene search

GitHub Advisory DatabaseGHSA-PG2W-X9WP-VW92

HistoryMay 13, 2022 - 1:11 a.m.

Python Requests Session Fixation

2022-05-1301:11:23

GitHub Advisory Database

github.com

python

requests

session fixation

sessions.py

remote attackers

session fixation attacks

redirect

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

5.5

Confidence

High

EPSS

0.016

Percentile

87.5%

JSON

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Affected configurations

Vulners

Node

requestsRange<2.6.0

VendorProductVersionCPE
*requests*cpe:2.3:a:*:requests:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	requests	*	cpe:2.3:a::requests::::::::*

References

advisories.mageia.org/MGASA-2015-0120.html

lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html

www.mandriva.com/security/advisories?name=MDVSA-2015:133

www.openwall.com/lists/oss-security/2015/03/14/4

www.openwall.com/lists/oss-security/2015/03/15/1

www.ubuntu.com/usn/USN-2531-1

github.com/advisories/GHSA-pg2w-x9wp-vw92

github.com/psf/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc

nvd.nist.gov/vuln/detail/CVE-2015-2296

warehouse.python.org/project/requests/2.6.0/

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

5.5

Confidence

High

EPSS

0.016

Percentile

87.5%

JSON

Related for GHSA-PG2W-X9WP-VW92