CVE-2015-8213
published 2015-12-07CVE-2015-8213: The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to…
PriorityP426medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
4.28%
89.9th percentile
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.8.7-1 (bookworm) | python-django 1.8.7-1 (bookworm) |
| djangoproject | django | <= 1.7.10 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.7 < 1.7.11 | 1.7.11 |
| djangoproject | django | >= 1.8a1 < 1.8.7 | 1.8.7 |
| djangoproject | django | >= 1.9a1 < 1.9rc2 | 1.9rc2 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-django: Information leak through date template filter
vendor_redhat·2015-11-24·CVSS 5.0
CVE-2015-8213 [MEDIUM] CWE-200 python-django: Information leak through date template filter
python-django: Information leak through date template filter
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format.
Package: Django (Red Hat Ceph Storage 1.2) - Will not fix
Package: Django (Red Hat Ceph Storage 1.3) - Will not fix
Package: python-django (Red Hat OpenStack Platform 8
Ubuntu
Django vulnerability
vendor_ubuntu·2015-11-24
CVE-2015-8213 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to expose sensitive information over the network.
Ryan Butterfield discovered that Django incorrectly handled the date
template filter. A remote attacker could possibly use this issue to obtain
secrets from application settings.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2015-8213: python-django - The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11...
vendor_debian·2015·CVSS 5.0
CVE-2015-8213 [MEDIUM] CVE-2015-8213: python-django - The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11...
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Scope: local
bookworm: resolved (fixed in 1.8.7-1)
bullseye: resolved (fixed in 1.8.7-1)
forky: resolved (fixed in 1.8.7-1)
sid: resolved (fixed in 1.8.7-1)
trixie: resolved (fixed in 1.8.7-1)
GHSA
Django settings leak in date template filter
ghsa·2022-05-17
CVE-2015-8213 [MEDIUM] CWE-200 Django settings leak in date template filter
Django settings leak in date template filter
The get_format function in `utils/formats.py` in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by `SECRET_KEY`.
OSV
Django settings leak in date template filter
osv·2022-05-17
CVE-2015-8213 [MEDIUM] Django settings leak in date template filter
Django settings leak in date template filter
The get_format function in `utils/formats.py` in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by `SECRET_KEY`.
OSV
CVE-2015-8213: The get_format function in utils/formats
osv·2015-12-07·CVSS 5.0
CVE-2015-8213 [MEDIUM] CVE-2015-8213: The get_format function in utils/formats
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8213 python-django: Information leak through date template filter [fedora-all]
bugzilla·2015-11-25·CVSS 5.0
CVE-2015-8213 [MEDIUM] CVE-2015-8213 python-django: Information leak through date template filter [fedora-all]
CVE-2015-8213 python-django: Information leak through date template filter [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2015-8213 python-django: Information leak through date template filter [epel-all]
bugzilla·2015-11-25·CVSS 5.0
CVE-2015-8213 [MEDIUM] CVE-2015-8213 python-django: Information leak through date template filter [epel-all]
CVE-2015-8213 python-django: Information leak through date template filter [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2015-8213 python-django: Information leak through date template filter
bugzilla·2015-11-19·CVSS 5.0
CVE-2015-8213 [MEDIUM] CVE-2015-8213 python-django: Information leak through date template filter
CVE-2015-8213 python-django: Information leak through date template filter
A vulnerability in date filter exposing information on application settings was found. If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
Affected supported versions are Django 1.9, 1.8 and 1.7.
External reference:
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Discussion:
Created attachment 1096569
Django 1.7
---
Created attachment 1096570
Django 1.8
---
Created attachment 1096571
Djan
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00014.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00017.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0129.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0156.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0157.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0158.htmlhttp://www.debian.org/security/2015/dsa-3404http://www.securityfocus.com/bid/77750http://www.securitytracker.com/id/1034237http://www.ubuntu.com/usn/USN-2816-1https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00014.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00017.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0129.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0156.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0157.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0158.htmlhttp://www.debian.org/security/2015/dsa-3404http://www.securityfocus.com/bid/77750http://www.securitytracker.com/id/1034237http://www.ubuntu.com/usn/USN-2816-1https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
2015-12-07
Published