CVE-2015-8213: Infoleak
First published: Mon Dec 07 2015(Updated: )
The get_format function in `utils/formats.py` in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by `SECRET_KEY`.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Djangoproject Django | <=1.7.10 | |
| Djangoproject Django | =1.8.0 | |
| Djangoproject Django | =1.8.1 | |
| Djangoproject Django | =1.8.2 | |
| Djangoproject Django | =1.8.3 | |
| Djangoproject Django | =1.8.4 | |
| Djangoproject Django | =1.8.5 | |
| Djangoproject Django | =1.8.6 | |
| Djangoproject Django | =1.9.0-rc1 | |
| pip/Django | >=1.8a1<1.8.7 | 1.8.7 |
| pip/django | >=1.9a1<1.9rc2 | 1.9rc2 |
| pip/django | >=1.7<1.7.11 | 1.7.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html
- http://rhn.redhat.com/errata/RHSA-2016-0129.html
- http://rhn.redhat.com/errata/RHSA-2016-0156.html
- http://rhn.redhat.com/errata/RHSA-2016-0157.html
- http://rhn.redhat.com/errata/RHSA-2016-0158.html
- http://www.debian.org/security/2015/dsa-3404
- http://www.securityfocus.com/bid/77750
- http://www.securitytracker.com/id/1034237
- http://www.ubuntu.com/usn/USN-2816-1
- https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4
- https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
- https://nvd.nist.gov/vuln/detail/CVE-2015-8213
- https://github.com/django/django/commit/3ebbda0aef9e7a90ac6208bb8f9bc21228e2c7da
- https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172
- https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991
- https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued
- https://github.com/advisories/GHSA-6wcr-wcqm-3mfh (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-11.yaml
Frequently Asked Questions
What is the severity of CVE-2015-8213?
CVE-2015-8213 is categorized as a medium severity vulnerability due to the potential exposure of sensitive application secrets.
How do I fix CVE-2015-8213?
To fix CVE-2015-8213, upgrade to Django versions 1.7.11, 1.8.7, or 1.9rc2 respectively.
What versions of Django are affected by CVE-2015-8213?
CVE-2015-8213 affects Django versions up to and including 1.7.10, all versions 1.8.0 to 1.8.6, and 1.9.0-rc1.
What type of attack can exploit CVE-2015-8213?
CVE-2015-8213 can be exploited by remote attackers who can potentially retrieve sensitive application settings.
Where can I find more information about CVE-2015-8213?
More information regarding CVE-2015-8213 can be found in security advisories and update notifications from Django.
- collector/nvd-index
- agent/type
- agent/remedy
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6wcr-wcqm-3mfh
- alias/CVE-2015-8213
- agent/last-modified-date
- agent/severity
- agent/references
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- agent/tags
- agent/source
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.7.10
- version/djangoproject django/1.8.0
- version/djangoproject django/1.8.1
- version/djangoproject django/1.8.2
- version/djangoproject django/1.8.3
- version/djangoproject django/1.8.4
- version/djangoproject django/1.8.5
- version/djangoproject django/1.8.6
- version/djangoproject django/1.9.0-rc1
- package-manager/pip