The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Exploitability
AV:NAC:LAu:NImpact
C:NI:NA:C7.8/AV:N/AC:L/Au:N/C:N/I:N/A:C