Moderate severityNVD Advisory· Published Jun 2, 2015· Updated May 6, 2026
CVE-2015-3982
CVE-2015-3982
Description
The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.8a1, < 1.8.2 | 1.8.2 |
Affected products
2cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
Patches
131cb25adecba[1.8.x] Fixed incorrect session.flush() in cached_db session backend.
3 files changed · +19 −2
django/contrib/sessions/backends/cached_db.py+1 −1 modified@@ -79,7 +79,7 @@ def flush(self): """ self.clear() self.delete(self.session_key) - self._session_key = '' + self._session_key = None # At bottom to avoid circular import from django.contrib.sessions.models import Session # isort:skip
docs/releases/1.8.2.txt+17 −1 modified@@ -4,7 +4,23 @@ Django 1.8.2 release notes *Under development* -Django 1.8.2 fixes several bugs in 1.8.1. +Django 1.8.2 fixes a security issue and several bugs in 1.8.1. + +Fixed session flushing in the ``cached_db`` backend +=================================================== + +A change to ``session.flush()`` in the ``cached_db`` session backend in Django +1.8 mistakenly sets the session key to an empty string rather than ``None``. An +empty string is treated as a valid session key and the session cookie is set +accordingly. Any users with an empty string in their session cookie will use +the same session store. ``session.flush()`` is called by +``django.contrib.auth.logout()`` and, more seriously, by +``django.contrib.auth.login()`` when a user switches accounts. If a user is +logged in and logs in again to a different account (without logging out) the +session is flushed to avoid reuse. After the session is flushed (and its +session key becomes ``''``) the account details are set on the session and the +session is saved. Any users with an empty string in their session cookie will +now be logged into that account. Bugfixes ========
tests/sessions_tests/tests.py+1 −0 modified@@ -162,6 +162,7 @@ def test_flush(self): self.session.flush() self.assertFalse(self.session.exists(prev_key)) self.assertNotEqual(self.session.session_key, prev_key) + self.assertIsNone(self.session.session_key) self.assertTrue(self.session.modified) self.assertTrue(self.session.accessed)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.djangoproject.com/weblog/2015/may/20/security-release/nvdPatchVendor Advisory
- github.com/advisories/GHSA-6wgp-fwfm-mxp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3982ghsaADVISORY
- github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-19.yamlghsaWEB
- web.archive.org/web/20200228092138/http://www.securityfocus.com/bid/74960ghsaWEB
- www.djangoproject.com/weblog/2015/may/20/security-releaseghsaWEB
- www.securityfocus.com/bid/74960nvd
News mentions
0No linked articles in our index yet.