Moderate severityNVD Advisory· Published Dec 7, 2015· Updated Jun 17, 2026
CVE-2015-8213
CVE-2015-8213
Description
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.7, < 1.7.11 | 1.7.11 |
DjangoPyPI | >= 1.8a1, < 1.8.7 | 1.8.7 |
DjangoPyPI | >= 1.9a1, < 1.9rc2 | 1.9rc2 |
Affected products
13cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.7.10
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*
- ghsa-coords4 versionspkg:pypi/djangopkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%201.0pkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%202pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%205
>= 1.7, < 1.7.11+ 3 more
- (no CPE)range: >= 1.7, < 1.7.11
- (no CPE)range: < 1.6.11-11.1
- (no CPE)range: < 1.6.11-3.1
- (no CPE)range: < 1.6.11-13.1
Patches
Vulnerability mechanics
References
21- www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/nvdPatchVendor Advisory
- github.com/advisories/GHSA-6wcr-wcqm-3mfhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8213ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-12/msg00014.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-12/msg00017.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0129.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0156.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0157.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0158.htmlnvdWEB
- www.debian.org/security/2015/dsa-3404nvdWEB
- www.securityfocus.com/bid/77750nvdWEB
- www.securitytracker.com/id/1034237nvdWEB
- www.ubuntu.com/usn/USN-2816-1nvdWEB
- github.com/django/django/commit/316bc3fc9437c5960c24baceb93c73f1939711e4nvdWEB
- github.com/django/django/commit/3ebbda0aef9e7a90ac6208bb8f9bc21228e2c7daghsaWEB
- github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172ghsaWEB
- github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-11.yamlghsaWEB
- www.djangoproject.com/weblog/2015/nov/24/security-releases-issuedghsaWEB
News mentions
0No linked articles in our index yet.