CVE-2015-8213

Django <1.7.11, <1.8.7, <1.9rc2 - Info Disclosure

Title source: llm
STIX 2.1

Description

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

References (14)

Core 14
Core References
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2816-1
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0129.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034237
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0158.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0157.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3404
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0156.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/77750
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html

Scores

EPSS 0.0428
EPSS Percentile 89.9%

Details

CWE
CWE-200
Status published
Products (10)
djangoproject/django 1.8.0
djangoproject/django 1.8.1
djangoproject/django 1.8.2
djangoproject/django 1.8.3
djangoproject/django 1.8.4
djangoproject/django 1.8.5
djangoproject/django 1.8.6
djangoproject/django 1.9.0 rc1
djangoproject/django < 1.7.10
pypi/Django 1.7 - 1.7.11PyPI
Published Dec 07, 2015
Tracked Since Feb 18, 2026