contrib.sessions.middleware.SessionMiddleware
in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout
, which triggers the creation of an empty session record.
{ "nvd_published_at": "2015-08-24T14:59:00Z", "cwe_ids": [ "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-08-03T20:01:52Z" }