CVE-2015-8213

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

Published Bycve@mitre.org

Published DateDec 07, 2015, 20:59

Affected Versions(3)

Django(PyPI)

Introduced1.7

Fixed1.7.11

LimitN/A

Django(PyPI)

Introduced1.8a1

Fixed1.8.7

LimitN/A

Django(PyPI)

Introduced1.9a1

Fixed1.9rc2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
Django(PyPI)	1.7	1.7.11	N/A
Django(PyPI)	1.8a1	1.8.7	N/A
Django(PyPI)	1.9a1	1.9rc2	N/A

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE