CVE-2015-8213

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
djangoprojectdjango
𝑥
≤ 1.7.10
djangoprojectdjango
1.8.0
djangoprojectdjango
1.8.1
djangoprojectdjango
1.8.2
djangoprojectdjango
1.8.3
djangoprojectdjango
1.8.4
djangoprojectdjango
1.8.5
djangoprojectdjango
1.8.6
djangoprojectdjango
1.9.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye (security)
2:2.2.28-1~deb11u2
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
wily
Fixed 1.7.9-1ubuntu5.1
released
vivid
Fixed 1.7.6-1ubuntu2.3
released
trusty
Fixed 1.6.1-2ubuntu0.11
released
precise
Fixed 1.3.1-4ubuntu1.19
released
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html
http://rhn.redhat.com/errata/RHSA-2016-0129.html
http://rhn.redhat.com/errata/RHSA-2016-0156.html
http://rhn.redhat.com/errata/RHSA-2016-0157.html
http://rhn.redhat.com/errata/RHSA-2016-0158.html
http://www.debian.org/security/2015/dsa-3404
http://www.securityfocus.com/bid/77750
http://www.securitytracker.com/id/1034237
http://www.ubuntu.com/usn/USN-2816-1
https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00014.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00017.html
http://rhn.redhat.com/errata/RHSA-2016-0129.html
http://rhn.redhat.com/errata/RHSA-2016-0156.html
http://rhn.redhat.com/errata/RHSA-2016-0157.html
http://rhn.redhat.com/errata/RHSA-2016-0158.html
http://www.debian.org/security/2015/dsa-3404
http://www.securityfocus.com/bid/77750
http://www.securitytracker.com/id/1034237
http://www.ubuntu.com/usn/USN-2816-1
https://github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/