CVE-2015-2296

Description

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

How to fix CVE-2015-2296

To remediate CVE-2015-2296, upgrade the affected package to a fixed version below.

• Debian/requests—upgrade to 2.4.3-6 or later
• PyPI/requests—upgrade to 2.6.0 or later
• PyPI/requests—upgrade to 3bd8afbff29e50b38f889b2f688785a669b9aafc or later

Is CVE-2015-2296 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2.4.3-6
• >= 2.1.0, < 2.6.0
• from 0, < 3bd8afbff29e50b38f889b2f688785a669b9aafc | >= 2.1.0, < 2.6.0

References (15)

• ADVISORYgithub.com/advisories/GHSA-pg2w-x9wp-vw92
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-2296
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-2296
• PATCHgithub.com/psf/requests
• WEBadvisories.mageia.org