Bug 1283553 (CVE-2015-8213) - CVE-2015-8213 python-django: Information leak through date template filter
Summary: CVE-2015-8213 python-django: Information leak through date template filter
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8213
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1285278 1285279 1285931 1285932 1285933 1285934 1285935 1286327 1297644 1297645
Blocks: 1283555
TreeView+ depends on / blocked
 
Reported: 2015-11-19 09:34 UTC by Adam Mariš
Modified: 2019-09-29 13:40 UTC (History)
25 users (show)

Fixed In Version: python-django 1.9rc2, python-django 1.8.7, python-django 1.7.11
Doc Type: Bug Fix
Doc Text:
An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format.
Clone Of:
Environment:
Last Closed: 2016-03-09 22:20:37 UTC


Attachments (Terms of Use)
Django 1.7 (2.80 KB, patch)
2015-11-19 09:36 UTC, Adam Mariš
no flags Details | Diff
Django 1.8 (3.92 KB, patch)
2015-11-19 09:36 UTC, Adam Mariš
no flags Details | Diff
Django 1.9 (3.85 KB, patch)
2015-11-19 09:37 UTC, Adam Mariš
no flags Details | Diff
Django master (3.84 KB, patch)
2015-11-19 09:37 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0129 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-08 11:50:15 UTC
Red Hat Product Errata RHSA-2016:0156 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:16:06 UTC
Red Hat Product Errata RHSA-2016:0157 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:15:56 UTC
Red Hat Product Errata RHSA-2016:0158 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:15:48 UTC
Red Hat Product Errata RHSA-2016:0360 normal SHIPPED_LIVE Moderate: python-django security update 2016-03-08 11:35:15 UTC

Description Adam Mariš 2015-11-19 09:34:44 UTC
A vulnerability in date filter exposing information on application settings was found. If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

Affected supported versions are Django 1.9, 1.8 and 1.7.

External reference:

https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

Comment 1 Adam Mariš 2015-11-19 09:36:08 UTC
Created attachment 1096569 [details]
Django 1.7

Comment 2 Adam Mariš 2015-11-19 09:36:46 UTC
Created attachment 1096570 [details]
Django 1.8

Comment 3 Adam Mariš 2015-11-19 09:37:14 UTC
Created attachment 1096571 [details]
Django 1.9

Comment 4 Adam Mariš 2015-11-19 09:37:36 UTC
Created attachment 1096572 [details]
Django master

Comment 5 Matthias Runge 2015-11-25 10:14:15 UTC
It's public now

Comment 7 Adam Mariš 2015-11-25 10:49:52 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1285278]
Affects: epel-all [bug 1285279]

Comment 10 Fedora Update System 2015-12-07 20:29:31 UTC
python-django-1.8.7-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-12-24 05:06:56 UTC
python-django-1.6.11-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Garth Mollett 2016-02-02 05:23:32 UTC
Acknowledgements:

Red Hat would like to thank the Django project for reporting this issue. Upstream acknowledges Ryan Butterfield as the original reporter.

Comment 14 errata-xmlrpc 2016-02-08 06:50:24 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0129 https://rhn.redhat.com/errata/RHSA-2016-0129.html

Comment 15 errata-xmlrpc 2016-02-10 01:16:21 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0158 https://rhn.redhat.com/errata/RHSA-2016-0158.html

Comment 16 errata-xmlrpc 2016-02-10 01:16:46 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2016:0157 https://rhn.redhat.com/errata/RHSA-2016-0157.html

Comment 17 errata-xmlrpc 2016-02-10 01:17:07 UTC
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0156 https://rhn.redhat.com/errata/RHSA-2016-0156.html

Comment 18 errata-xmlrpc 2016-03-08 06:35:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0360 https://rhn.redhat.com/errata/RHSA-2016-0360.html


Note You need to log in before you can comment on or make changes to this bug.