Search for vulnerabilities
Vulnerability details: VCID-ck1f-qh2d-aaab
Vulnerability ID VCID-ck1f-qh2d-aaab
Aliases CVE-2015-2296
GHSA-pg2w-x9wp-vw92
PYSEC-2015-17
Summary The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-201 Insertion of Sensitive Information Into Sent Data
System Score Found at
generic_textual MODERATE http://advisories.mageia.org/MGASA-2015-0120.html
generic_textual MODERATE http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2296.html
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.00816 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01582 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01672 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01672 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01672 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01672 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.01915 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
epss 0.04887 https://api.first.org/data/v1/epss?cve=CVE-2015-2296
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1202904
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
cvssv2 1.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-pg2w-x9wp-vw92
generic_textual MODERATE https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
cvssv3.1 5.6 https://github.com/psf/requests
generic_textual MODERATE https://github.com/psf/requests
generic_textual MODERATE https://github.com/psf/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2015-17.yaml
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2015-2296
generic_textual Medium https://ubuntu.com/security/notices/USN-2531-1
generic_textual MODERATE https://warehouse.python.org/project/requests/2.6.0
generic_textual Medium https://warehouse.python.org/project/requests/2.6.0/
cvssv3.1 5.3 http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2015/03/14/4
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2015/03/15/1
generic_textual MODERATE http://www.ubuntu.com/usn/USN-2531-1
Reference id Reference type URL
http://advisories.mageia.org/MGASA-2015-0120.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
http://osvdb.org/show/osvdb/119576
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2296.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-2296.json
https://api.first.org/data/v1/epss?cve=CVE-2015-2296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc#diff-28e67177469c0d36b068d68d9f6043bf
https://github.com/kennethreitz/requests/commit/f7c85685a8e484715649c13bacae6adc7f5f3908#diff-28e67177469c0d36b068d68d9f6043bf
https://github.com/psf/requests
https://github.com/psf/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2015-17.yaml
https://ubuntu.com/security/notices/USN-2531-1
https://warehouse.python.org/project/requests/2.6.0
https://warehouse.python.org/project/requests/2.6.0/
http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
http://www.openwall.com/lists/oss-security/2015/03/14/4
http://www.openwall.com/lists/oss-security/2015/03/15/1
http://www.ubuntu.com/usn/USN-2531-1
1202904 https://bugzilla.redhat.com/show_bug.cgi?id=1202904
780506 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780506
cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
CVE-2015-2296 https://nvd.nist.gov/vuln/detail/CVE-2015-2296
GHSA-pg2w-x9wp-vw92 https://github.com/advisories/GHSA-pg2w-x9wp-vw92
USN-2531-1 https://usn.ubuntu.com/2531-1/
No exploits are available.
Vector: AV:A/AC:H/Au:N/C:P/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/psf/requests
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2015-2296
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.73172
EPSS Score 0.00816
Published At May 2, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.