CVE-2015-8213

Published: 24 November 2015

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

Priority

Medium

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.7,1.7.11)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.8.7-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.6.1-2ubuntu0.11)