CVE-2015-5143

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Published: Jul 14, 2015
Updated: Nov 9, 2025
CVE: CVE-2015-5143
GHSA: GHSA-h582-2pch-3xv3
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C

CWEs:

CWE-399

Affected Software
References

Software	From	Fixed in
djangoproject / django	1.7.5	1.7.5.x
djangoproject / django	1.5	1.5.x
djangoproject / django	1.5.7	1.5.7.x
djangoproject / django	1.5.1	1.5.1.x
djangoproject / django	1.7.9	1.7.9.x
djangoproject / django	1.7.3	1.7.3.x
djangoproject / django	1.6-beta4	1.6-beta4.x
djangoproject / django	1.6.7	1.6.7.x
djangoproject / django	1.8.2	1.8.2.x
djangoproject / django	1.7-rc2	1.7-rc2.x
djangoproject / django	1.7-beta1	1.7-beta1.x
djangoproject / django	1.6.5	1.6.5.x
djangoproject / django	1.6-beta2	1.6-beta2.x
djangoproject / django	1.5.3	1.5.3.x
djangoproject / django	1.7-beta3	1.7-beta3.x
djangoproject / django	1.7.7	1.7.7.x
djangoproject / django	1.8.1	1.8.1.x
djangoproject / django	1.5.4	1.5.4.x
djangoproject / django	1.5.12	1.5.12.x
djangoproject / django	1.6.8	1.6.8.x
djangoproject / django	1.5.10	1.5.10.x
djangoproject / django	1.5-beta	1.5-beta.x
djangoproject / django	1.6.6	1.6.6.x
djangoproject / django	1.4.20	1.4.20.x
djangoproject / django	1.5.5	1.5.5.x
djangoproject / django	1.7.2	1.7.2.x
djangoproject / django	1.7.4	1.7.4.x
djangoproject / django	1.7.8	1.7.8.x
djangoproject / django	1.6.10	1.6.10.x
djangoproject / django	1.6.3	1.6.3.x
djangoproject / django	1.7.6	1.7.6.x
djangoproject / django	1.8.0	1.8.0.x
djangoproject / django	1.7-rc3	1.7-rc3.x
djangoproject / django	1.5.8	1.5.8.x
djangoproject / django	1.6.4	1.6.4.x
djangoproject / django	1.6	1.6.x
djangoproject / django	1.5.9	1.5.9.x
djangoproject / django	1.6.1	1.6.1.x
djangoproject / django	1.6.2	1.6.2.x
djangoproject / django	1.6-beta1	1.6-beta1.x
djangoproject / django	1.6-beta3	1.6-beta3.x
djangoproject / django	1.7-rc1	1.7-rc1.x
djangoproject / django	1.6.9	1.6.9.x
djangoproject / django	1.7.1	1.7.1.x
djangoproject / django	1.7-beta2	1.7-beta2.x
djangoproject / django	1.5.2	1.5.2.x
djangoproject / django	1.5-alpha	1.5-alpha.x
djangoproject / django	1.5.6	1.5.6.x
djangoproject / django	1.5.11	1.5.11.x
djangoproject / django	1.7-beta4	1.7-beta4.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	7.0	7.0.x
oracle / solaris	11.3	11.3.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	15.10	15.10.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	15.04	15.04.x
Django	-	1.4.21
Django	1.5.0	1.7.9
Django	1.8.0	1.8.3

Vulnerability Database

300,445

CVE-2015-5143

Deep Security Visibility Without the Complexity