Описание
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
An information-exposure flaw was found in the Django date filter. If an application allowed users to provide non-validated date formats, a malicious end user could expose application-settings data by providing the relevant applications-settings key instead of a valid date format.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.2 | Django | Will not fix | ||
| Red Hat Ceph Storage 1.3 | Django | Will not fix | ||
| Red Hat OpenStack Platform 8 (Liberty) | python-django | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | python-django | Not affected | ||
| Red Hat Subscription Asset Manager | Django | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | python-django | Fixed | RHSA-2016:0158 | 10.02.2016 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | python-django | Fixed | RHSA-2016:0157 | 10.02.2016 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-django | Fixed | RHSA-2016:0129 | 08.02.2016 |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-django | Fixed | RHSA-2016:0156 | 10.02.2016 |
| Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 | python-django | Fixed | RHSA-2016:0360 | 08.03.2016 |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS2
Связанные уязвимости
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
The get_format function in utils/formats.py in Django before 1.7.x bef ...
4.3 Medium
CVSS2