CVE-2015-2296
CVE-2015-2296 is a medium-severity vulnerability in Python Requests with a CVSS 2.0 base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 3% (87th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Python Requests
- Published:
- Last modified:
Description
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Frequently asked questions
- What is CVE-2015-2296?
- The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
- How severe is CVE-2015-2296?
- CVE-2015-2296 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2015-2296 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (87th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-2296?
- CVE-2015-2296 primarily affects Python Requests. In total, 14 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-2296?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2015-2296 published?
- CVE-2015-2296 was published on 2015-03-18 and last updated on 2026-06-17.
References
- http://advisories.mageia.org/MGASA-2015-0120.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:133
- http://www.openwall.com/lists/oss-security/2015/03/14/4
- http://www.openwall.com/lists/oss-security/2015/03/15/1
- http://www.ubuntu.com/usn/USN-2531-1
- https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
- https://warehouse.python.org/project/requests/2.6.0/
Affected products (14)
- cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
More vulnerabilities in Python Requests
- CVE-2018-18074 — High (CVSS 7.5): The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a…
- CVE-2023-32681 — Medium (CVSS 6.1): Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination…
- CVE-2014-1830 — Medium (CVSS 5.0): Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the…
- CVE-2014-1829 — Medium (CVSS 5.0): Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the…
- CVE-2026-25645 — Medium (CVSS 4.4): Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses…