Moderate severityNVD Advisory· Published Aug 24, 2015· Updated Jun 17, 2026
CVE-2015-5963
CVE-2015-5963
Description
contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.8, < 1.8.4 | 1.8.4 |
DjangoPyPI | >= 1.7, < 1.7.10 | 1.7.10 |
DjangoPyPI | >= 1.4, < 1.4.22 | 1.4.22 |
Affected products
51cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*+ 38 more
- cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.17:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.19:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.20:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.21:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8:beta1:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- ghsa-coords8 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%201.0pkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%202pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1
>= 1.8, < 1.8.4+ 7 more
- (no CPE)range: >= 1.8, < 1.8.4
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 1.9.12-1.1
- (no CPE)range: < 1.6.11-8.1
- (no CPE)range: < 1.6.11-3.1
- (no CPE)range: < 1.6.11-10.2
- (no CPE)range: < 1.11.15-2.1
Patches
Vulnerability mechanics
References
24- www.djangoproject.com/weblog/2015/aug/18/security-releases/nvdPatchVendor Advisory
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlnvdThird Party AdvisoryWEB
- www.ubuntu.com/usn/USN-2720-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-pgxh-wfw4-jx2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5963ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-09/msg00026.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1766.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1767.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1894.htmlnvdWEB
- www.debian.org/security/2015/dsa-3338nvdWEB
- access.redhat.com/errata/RHSA-2015:1876nvdWEB
- github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.4.txtghsaWEB
- github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6ghsaWEB
- github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7ghsaWEB
- github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012ghsaWEB
- github.com/django/django/commit/8cc41ce7a7a8f6bebfdd89d5ab276cd0109f4fc5ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-22.yamlghsaWEB
- web.archive.org/web/20150904151934/http://www.securitytracker.com/id/1033318ghsaWEB
- web.archive.org/web/20200228050526/http://www.securityfocus.com/bid/76428ghsaWEB
- www.djangoproject.com/weblog/2015/aug/18/security-releasesghsaWEB
- www.securityfocus.com/bid/76428nvd
- www.securitytracker.com/id/1033318nvd
News mentions
0No linked articles in our index yet.