SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Django Vendors:   djangoproject.com
Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
SecurityTracker Alert ID:  1034237
SecurityTracker URL:  http://securitytracker.com/id/1034237
CVE Reference:   CVE-2015-8213   (Links to External Site)
Date:  Nov 24 2015
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Django. A remote user can obtain potentially sensitive information on the target system.

The django.utils.formats.get_format() date template filter does not properly process user-supplied date values. A remote user can supply a specially crafted value to a target that passes the user-supplied value to the date filter to obtain arbitrary secret values from the application's settings.

Ryan Butterfield reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive application settings data on the target system.
Solution:   The vendor has issued a fix (1.7.11, 1.8.7, 1.9rc2).

The vendor's advisory is available at:

https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

Vendor URL:  www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 24 2015 (Ubuntu Issues Fix for Django) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Ubuntu has issued a fix for Django for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.04, and 15.10.
Feb 8 2016 (Red Hat Issues Fix) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Feb 10 2016 (Red Hat Issues Fix) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Feb 10 2016 (Red Hat Issues Fix) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Feb 10 2016 (Red Hat Issues Fix) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Mar 8 2016 (Red Hat Issues Fix) Django Date Template Filter Bug Lets Remote Users Obtain Potentially Sensitive Application Settings Information
Red Hat has issued a fix for python-django for Red Hat Enterprise Linux 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC