The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
| Score | Percentile |
|---|---|
| 1.14% | 78.05% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-pg2w-x9wp-vw92 ↗ |
| CVE | CVE-2015-2296 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | requests | >= 2.1.0, < 2.6.0 | 2.6.0 | — |