Python Requests Session Fixation

Description

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-13 01:11:23 UTC
Updated
2024-10-21 21:03:10 UTC
GitHub reviewed
2023-07-31 23:49:22 UTC
NVD published
2015-03-18

EPSS Score

Score Percentile
1.14% 78.05%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Credits

  • sfblackl-intel (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip requests >= 2.1.0, < 2.6.0 2.6.0

References

cvelogic Threat Intelligence