GMS-2015-21: Denial-of-service possibility in logout() view by filling session store

August 18, 2015

A session can be created when anonymously accessing the django.contrib.auth.views.logout view (provided it wasn’t decorated with django.contrib.auth.decorators.login_required as done in the admin). This allows an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.

References

www.djangoproject.com/weblog/2015/aug/18/security-releases/

Code Behaviors & Features

Detect and mitigate GMS-2015-21 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →