Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1283553 (CVE-2015-8213) - CVE-2015-8213 python-django: Information leak through date template filter
Summary: CVE-2015-8213 python-django: Information leak through date template filter
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8213
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1285278 1285279 1285931 1285932 1285933 1285934 1285935 1286327 1297644 1297645
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-19 09:34 UTC by Adam Mariš
Modified: 2023-05-13 00:49 UTC (History)
25 users (show)

Fixed In Version: python-django 1.9rc2, python-django 1.8.7, python-django 1.7.11
Doc Type: Bug Fix
Doc Text:
An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format.
Clone Of:
Environment:
Last Closed: 2016-03-09 22:20:37 UTC
Embargoed:


Attachments (Terms of Use)
Django 1.7 (deleted)
2015-11-19 09:36 UTC, Adam Mariš
no flags Details | Diff
Django 1.8 (deleted)
2015-11-19 09:36 UTC, Adam Mariš
no flags Details | Diff
Django 1.9 (deleted)
2015-11-19 09:37 UTC, Adam Mariš
no flags Details | Diff
Django master (deleted)
2015-11-19 09:37 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0129 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-08 11:50:15 UTC
Red Hat Product Errata RHSA-2016:0156 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:16:06 UTC
Red Hat Product Errata RHSA-2016:0157 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:15:56 UTC
Red Hat Product Errata RHSA-2016:0158 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-02-10 06:15:48 UTC
Red Hat Product Errata RHSA-2016:0360 0 normal SHIPPED_LIVE Moderate: python-django security update 2016-03-08 11:35:15 UTC

Description Adam Mariš 2015-11-19 09:34:44 UTC
A vulnerability in date filter exposing information on application settings was found. If an application allows users to specify an unvalidated format for dates and passes this format to the ``date`` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

Affected supported versions are Django 1.9, 1.8 and 1.7.

External reference:

https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

Comment 1 Adam Mariš 2015-11-19 09:36:08 UTC
Created attachment 1096569 [details]
Django 1.7

Comment 2 Adam Mariš 2015-11-19 09:36:46 UTC
Created attachment 1096570 [details]
Django 1.8

Comment 3 Adam Mariš 2015-11-19 09:37:14 UTC
Created attachment 1096571 [details]
Django 1.9

Comment 4 Adam Mariš 2015-11-19 09:37:36 UTC
Created attachment 1096572 [details]
Django master

Comment 5 Matthias Runge 2015-11-25 10:14:15 UTC
It's public now

Comment 7 Adam Mariš 2015-11-25 10:49:52 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1285278]
Affects: epel-all [bug 1285279]

Comment 10 Fedora Update System 2015-12-07 20:29:31 UTC
python-django-1.8.7-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-12-24 05:06:56 UTC
python-django-1.6.11-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Garth Mollett 2016-02-02 05:23:32 UTC
Acknowledgements:

Red Hat would like to thank the Django project for reporting this issue. Upstream acknowledges Ryan Butterfield as the original reporter.

Comment 14 errata-xmlrpc 2016-02-08 06:50:24 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0129 https://rhn.redhat.com/errata/RHSA-2016-0129.html

Comment 15 errata-xmlrpc 2016-02-10 01:16:21 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0158 https://rhn.redhat.com/errata/RHSA-2016-0158.html

Comment 16 errata-xmlrpc 2016-02-10 01:16:46 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2016:0157 https://rhn.redhat.com/errata/RHSA-2016-0157.html

Comment 17 errata-xmlrpc 2016-02-10 01:17:07 UTC
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0156 https://rhn.redhat.com/errata/RHSA-2016-0156.html

Comment 18 errata-xmlrpc 2016-03-08 06:35:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0360 https://rhn.redhat.com/errata/RHSA-2016-0360.html


Note You need to log in before you can comment on or make changes to this bug.