The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Djangoproject
  • Django
Redhat
  • Openstack
  • Openstack-optools

Configuration 1 [-]

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6
python-django-0:1.6.11-4.el6ost cpe:/a:redhat:openstack:5::el6 RHSA-2016:0158 2016-02-10T00:00:00Z
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7
python-django-0:1.6.11-4.el7ost cpe:/a:redhat:openstack:5::el7 RHSA-2016:0157 2016-02-10T00:00:00Z
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
python-django-0:1.6.11-4.el7ost cpe:/a:redhat:openstack:6::el7 RHSA-2016:0129 2016-02-08T00:00:00Z
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
python-django-0:1.8.7-1.el7 cpe:/a:redhat:openstack:7::el7 RHSA-2016:0156 2016-02-10T00:00:00Z
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7
python-django-0:1.6.11-4.el7ost cpe:/a:redhat:openstack-optools:7::el7 RHSA-2016:0360 2016-03-08T00:00:00Z
References
Link Providers
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0129.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0156.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0157.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0158.html cve-icon cve-icon
http://www.debian.org/security/2015/dsa-3404 cve-icon cve-icon
http://www.securityfocus.com/bid/77750 cve-icon cve-icon
http://www.securitytracker.com/id/1034237 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2816-1 cve-icon cve-icon
https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2015-8213 cve-icon
https://www.cve.org/CVERecord?id=CVE-2015-8213 cve-icon
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ cve-icon cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-12-07T20:00:00

Updated: 2024-08-06T08:13:31.831Z

Reserved: 2015-11-14T00:00:00

Link: CVE-2015-8213

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2015-12-07T20:59:17.613

Modified: 2016-12-07T18:26:43.987

Link: CVE-2015-8213

cve-icon Redhat

Severity : Moderate

Publid Date: 2015-11-24T00:00:00Z

Links: CVE-2015-8213 - Bugzilla