CVE-2015-2296
Published: 16 March 2015
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Notes
Author | Note |
---|---|
mdeslaur | reproducer script: https://gist.github.com/OddBloke/211ff98b63a8cfb3f6d4 |
Priority
Status
Package | Release | Status |
---|---|---|
requests Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(0.8.2-1)
|
|
trusty |
Released
(2.2.1-1ubuntu0.2)
|
|
upstream |
Released
(2.6.0,2.4.3-6)
|
|
utopic |
Released
(2.3.0-1ubuntu0.1)
|
|
Patches: upstream: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc |