[SECURITY] Fedora 23 Update: python-django-1.8.7-1.fc23

2015-12-07T20:32:33

Description

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Affected Package

OS	OS Version	Package Name	Package Version
Fedora	23	python-django	1.8.7

{"id": "FEDORA:B060F608A21B", "vendorId": null, "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 23 Update: python-django-1.8.7-1.fc23", "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "published": "2015-12-07T20:32:33", "modified": "2015-12-07T20:32:33", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRDIRLPLZZGQOSY5LSDURNF7YCAWDWAR/", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2015-8213"], "immutableFields": [], "lastseen": "2020-12-21T08:17:53", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201512-3"]}, {"type": "cve", "idList": ["CVE-2015-8213"]}, {"type": "debian", "idList": ["DEBIAN:DLA-349-1:1690A", "DEBIAN:DSA-3404-1:85AF5", "DEBIAN:DSA-3404-1:9DF59"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-8213"]}, {"type": "fedora", "idList": ["FEDORA:89CAD6002D6D"]}, {"type": "freebsd", "idList": ["11C52BC6-97AA-11E5-B8DF-14DAE9D210B8"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-349.NASL", "DEBIAN_DSA-3404.NASL", "FEDORA_2015-323274D412.NASL", "FEDORA_2015-A8C8F60FBD.NASL", "FREEBSD_PKG_11C52BC697AA11E5B8DF14DAE9D210B8.NASL", "OPENSUSE-2015-860.NASL", "OPENSUSE-2015-862.NASL", "UBUNTU_USN-2816-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310131147", "OPENVAS:1361412562310703404", "OPENVAS:1361412562310806925", "OPENVAS:703404"]}, {"type": "redhat", "idList": ["RHSA-2016:0129", "RHSA-2016:0156", "RHSA-2016:0157", "RHSA-2016:0158", "RHSA-2016:0360"]}, {"type": "ubuntu", "idList": ["USN-2816-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8213"]}]}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201512-3"]}, {"type": "cve", "idList": ["CVE-2015-8213"]}, {"type": "debian", "idList": ["DEBIAN:DLA-349-1:1690A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-8213"]}, {"type": "freebsd", "idList": ["11C52BC6-97AA-11E5-B8DF-14DAE9D210B8"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_11C52BC697AA11E5B8DF14DAE9D210B8.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806925"]}, {"type": "redhat", "idList": ["RHSA-2016:0158"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8213"]}]}, "exploitation": null, "vulnersScore": 5.4}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "23", "arch": "any", "packageName": "python-django", "packageVersion": "1.8.7", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"nessus": [{"lastseen": "2021-08-19T12:43:52", "description": "It was discovered that there was a potential settings leak in date template filter of Django, a web-development framework.\n\nIf an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. 'SECRET_KEY' instead of 'j/m/Y'.\n\nTo remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.\n\nFor Debian 6 Squeeze, this issue has been fixed in python-django version 1.2.3-3+squeeze15.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-11-30T00:00:00", "type": "nessus", "title": "Debian DLA-349-1 : python-django security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-django", "p-cpe:/a:debian:debian_linux:python-django-doc", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-349.NASL", "href": "https://www.tenable.com/plugins/nessus/87070", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-349-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87070);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8213\");\n\n script_name(english:\"Debian DLA-349-1 : python-django security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a potential settings leak in date\ntemplate filter of Django, a web-development framework.\n\nIf an application allows users to specify an unvalidated format for\ndates and passes this format to the date filter, e.g. {{\nlast_updated|date:user_date_format }}, then a malicious user could\nobtain any secret in the application's settings by specifying a\nsettings key instead of a date format. e.g. 'SECRET_KEY' instead of\n'j/m/Y'.\n\nTo remedy this, the underlying function used by the date template\nfilter, django.utils.formats.get_format(), now only allows accessing\nthe date/time formatting settings.\n\nFor Debian 6 Squeeze, this issue has been fixed in python-django\nversion 1.2.3-3+squeeze15.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/11/msg00009.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/python-django\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected python-django, and python-django-doc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-django-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"python-django\", reference:\"1.2.3-3+squeeze15\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"python-django-doc\", reference:\"1.2.3-3+squeeze15\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:43:52", "description": "Tim Graham reports :\n\nIf an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. 'SECRET_KEY' instead of 'j/m/Y'.", "cvss3": {"score": null, "vector": null}, "published": "2015-12-01T00:00:00", "type": "nessus", "title": "FreeBSD : django -- information leak vulnerability (11c52bc6-97aa-11e5-b8df-14dae9d210b8)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py27-django", "p-cpe:/a:freebsd:freebsd:py27-django-devel", "p-cpe:/a:freebsd:freebsd:py27-django17", "p-cpe:/a:freebsd:freebsd:py27-django18", "p-cpe:/a:freebsd:freebsd:py32-django", "p-cpe:/a:freebsd:freebsd:py32-django-devel", "p-cpe:/a:freebsd:freebsd:py32-django17", "p-cpe:/a:freebsd:freebsd:py32-django18", "p-cpe:/a:freebsd:freebsd:py33-django", "p-cpe:/a:freebsd:freebsd:py33-django-devel", "p-cpe:/a:freebsd:freebsd:py33-django17", "p-cpe:/a:freebsd:freebsd:py33-django18", "p-cpe:/a:freebsd:freebsd:py34-django", "p-cpe:/a:freebsd:freebsd:py34-django-devel", "p-cpe:/a:freebsd:freebsd:py34-django17", "p-cpe:/a:freebsd:freebsd:py34-django18", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_11C52BC697AA11E5B8DF14DAE9D210B8.NASL", "href": "https://www.tenable.com/plugins/nessus/87114", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87114);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-8213\");\n\n script_name(english:\"FreeBSD : django -- information leak vulnerability (11c52bc6-97aa-11e5-b8df-14dae9d210b8)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tim Graham reports :\n\nIf an application allows users to specify an unvalidated format for\ndates and passes this format to the date filter, e.g. {{\nlast_updated|date:user_date_format }}, then a malicious user could\nobtain any secret in the application's settings by specifying a\nsettings key instead of a date format. e.g. 'SECRET_KEY' instead of\n'j/m/Y'.\"\n );\n # https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de256ceb\"\n );\n # https://vuxml.freebsd.org/freebsd/11c52bc6-97aa-11e5-b8df-14dae9d210b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4497065b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-django17\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-django18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-django17\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-django18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-django17\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-django18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-django-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-django17\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-django18\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-django<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-django<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-django<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-django<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-django18<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-django18<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-django18<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-django18<1.8.7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-django17<1.7.11\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-django17<1.7.11\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-django17<1.7.11\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-django17<1.7.11\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-django-devel<=20150709,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-django-devel<=20150709,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-django-devel<=20150709,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-django-devel<=20150709,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:44:00", "description": "Ryan Butterfield discovered that Django incorrectly handled the date template filter. A remote attacker could possibly use this issue to obtain secrets from application settings.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-11-25T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : python-django vulnerability (USN-2816-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:python-django", "p-cpe:/a:canonical:ubuntu_linux:python3-django", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:15.04", "cpe:/o:canonical:ubuntu_linux:15.10"], "id": "UBUNTU_USN-2816-1.NASL", "href": "https://www.tenable.com/plugins/nessus/87065", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2816-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87065);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8213\");\n script_xref(name:\"USN\", value:\"2816-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : python-django vulnerability (USN-2816-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Ryan Butterfield discovered that Django incorrectly handled the date\ntemplate filter. A remote attacker could possibly use this issue to\nobtain secrets from application settings.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2816-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django and / or python3-django packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|15\\.04|15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 15.04 / 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python-django\", pkgver:\"1.3.1-4ubuntu1.19\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python-django\", pkgver:\"1.6.1-2ubuntu0.11\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"python-django\", pkgver:\"1.7.6-1ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"python3-django\", pkgver:\"1.7.6-1ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"python-django\", pkgver:\"1.7.9-1ubuntu5.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"python3-django\", pkgver:\"1.7.9-1ubuntu5.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django / python3-django\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:44:04", "description": "Ryan Butterfield discovered a vulnerability in the date template filter in python-django, a high-level Python web development framework. A remote attacker can take advantage of this flaw to obtain any secret in the application's settings.", "cvss3": {"score": null, "vector": null}, "published": "2015-11-30T00:00:00", "type": "nessus", "title": "Debian DSA-3404-1 : python-django - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-django", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3404.NASL", "href": "https://www.tenable.com/plugins/nessus/87077", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3404. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87077);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8213\");\n script_xref(name:\"DSA\", value:\"3404\");\n\n script_name(english:\"Debian DSA-3404-1 : python-django - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Ryan Butterfield discovered a vulnerability in the date template\nfilter in python-django, a high-level Python web development\nframework. A remote attacker can take advantage of this flaw to obtain\nany secret in the application's settings.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/python-django\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/python-django\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3404\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the python-django packages.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.4.5-1+deb7u14.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"python-django\", reference:\"1.4.5-1+deb7u14\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-django-doc\", reference:\"1.4.5-1+deb7u14\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python-django\", reference:\"1.7.7-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python-django-common\", reference:\"1.7.7-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python-django-doc\", reference:\"1.7.7-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python3-django\", reference:\"1.7.7-1+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:42:58", "description": "This update fixes CVE-2015-8213: Fixed settings leak possibility in date template filter, more info can be found https://www.djangoproject.com/weblog/2015/nov/24/security-releases-iss ued/\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2016-03-04T00:00:00", "type": "nessus", "title": "Fedora 23 : python-django-1.8.7-1.fc23 (2015-a8c8f60fbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-django", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2015-A8C8F60FBD.NASL", "href": "https://www.tenable.com/plugins/nessus/89358", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-a8c8f60fbd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89358);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8213\");\n script_xref(name:\"FEDORA\", value:\"2015-a8c8f60fbd\");\n\n script_name(english:\"Fedora 23 : python-django-1.8.7-1.fc23 (2015-a8c8f60fbd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes CVE-2015-8213: Fixed settings leak possibility in\ndate template filter, more info can be found\nhttps://www.djangoproject.com/weblog/2015/nov/24/security-releases-iss\nued/\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1283553\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173375.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2cd5d058\"\n );\n # https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de256ceb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"python-django-1.8.7-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:43:39", "description": "The python-Django package was updated to fix the following security issue :\n\n - CVE-2015-8213: Fixed a problem to prevent settings leak in date template filter (bnc#955412).", "cvss3": {"score": null, "vector": null}, "published": "2015-12-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : python-Django (openSUSE-2015-862)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python-Django", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2015-862.NASL", "href": "https://www.tenable.com/plugins/nessus/87439", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-862.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87439);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8213\");\n\n script_name(english:\"openSUSE Security Update : python-Django (openSUSE-2015-862)\");\n script_summary(english:\"Check for the openSUSE-2015-862 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The python-Django package was updated to fix the following security\nissue :\n\n - CVE-2015-8213: Fixed a problem to prevent settings leak\n in date template filter (bnc#955412).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=955412\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-Django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-Django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"python-Django-1.6.11-3.13.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-Django\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T12:43:49", "description": "The python-django package was updated to fix the following security issue :\n\n - CVE-2015-8213: Fixed a problem to prevent settings leak in date template filter (bnc#955412)", "cvss3": {"score": null, "vector": null}, "published": "2015-12-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : python-django (openSUSE-2015-860)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python-django", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2015-860.NASL", "href": "https://www.tenable.com/plugins/nessus/87438", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-860.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87438);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8213\");\n\n script_name(english:\"openSUSE Security Update : python-django (openSUSE-2015-860)\");\n script_summary(english:\"Check for the openSUSE-2015-860 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The python-django package was updated to fix the following security\nissue :\n\n - CVE-2015-8213: Fixed a problem to prevent settings leak\n in date template filter (bnc#955412)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=955412\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"python-django-1.5.12-0.2.17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-27T14:52:35", "description": "Update to 1.8.7 , fixing CVE-2015-8213 (rhbz#1285278) ---- python- django-1.8.4-1.fc22 - Do not install bash completion for python executables (Ville Skytta, rhbz#1253076) - CVE-2015-5963 Denial-of-service possibility in logout() view by filling session store (rhbz#1254911) - CVE-2015-5964 Denial- of-service possibility in logout() view by filling session store (rhbz#1252891) python-django-1.8.4-1.fc23 - Do not install bash completion for python executables (Ville Skytta, rhbz#1253076) - CVE-2015-5963 Denial-of- service possibility in logout() view by filling session store (rhbz#1254911) - CVE-2015-5964 Denial-of-service possibility in logout() view by filling session store (rhbz#1252891)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2016-03-04T00:00:00", "type": "nessus", "title": "Fedora 22 : python-django-1.8.7-1.fc22 (2015-323274d412)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5963", "CVE-2015-5964", "CVE-2015-8213"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-django", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-323274D412.NASL", "href": "https://www.tenable.com/plugins/nessus/89201", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-323274d412.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89201);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8213\");\n script_xref(name:\"FEDORA\", value:\"2015-323274d412\");\n\n script_name(english:\"Fedora 22 : python-django-1.8.7-1.fc22 (2015-323274d412)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.8.7 , fixing CVE-2015-8213 (rhbz#1285278) ---- python-\ndjango-1.8.4-1.fc22 - Do not install bash completion for python\nexecutables (Ville Skytta, rhbz#1253076) - CVE-2015-5963\nDenial-of-service possibility in logout() view by filling session\nstore (rhbz#1254911) - CVE-2015-5964 Denial- of-service possibility in\nlogout() view by filling session store (rhbz#1252891)\npython-django-1.8.4-1.fc23 - Do not install bash completion for python\nexecutables (Ville Skytta, rhbz#1253076) - CVE-2015-5963 Denial-of-\nservice possibility in logout() view by filling session store\n(rhbz#1254911) - CVE-2015-5964 Denial-of-service possibility in\nlogout() view by filling session store (rhbz#1252891)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1285278\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac0a4ac4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-django package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-django\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"python-django-1.8.7-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-django\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2021-12-30T05:03:07", "description": "Package : python-django\nVersion : 1.2.3-3+squeeze15\nCVE ID : CVE-2015-8213\n\nIt was discovered that there was a potential settings leak in date\ntemplate filter of Django, a web-development framework.\n\nIf an application allows users to specify an unvalidated format for\ndates and passes this format to the date filter, e.g.\n{{ last_updated|date:user_date_format }}, then a malicious user\ncould obtain any secret in the application's settings by specifying\na settings key instead of a date format. e.g. "SECRET_KEY" instead\nof "j/m/Y".\n\nTo remedy this, the underlying function used by the date template\nfilter, django.utils.formats.get_format(), now only allows accessing\nthe date/time formatting settings.\n\nFor Debian 6 Squeeze, this issue has been fixed in python-django\nversion 1.2.3-3+squeeze15.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {}, "published": "2015-11-25T21:40:45", "type": "debian", "title": "[SECURITY] [DLA 349-1] python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-11-25T21:40:45", "id": "DEBIAN:DLA-349-1:1690A", "href": "https://lists.debian.org/debian-lts-announce/2015/11/msg00009.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-01T00:00:00", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3404-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 25, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-django\nCVE ID : CVE-2015-8213\n\nRyan Butterfield discovered a vulnerability in the date template filter\nin python-django, a high-level Python web development framework. A\nremote attacker can take advantage of this flaw to obtain any secret in\nthe application's settings.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.4.5-1+deb7u14.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.7-1.\n\nWe recommend that you upgrade your python-django packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-11-25T17:32:31", "type": "debian", "title": "[SECURITY] [DSA 3404-1] python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-11-25T17:32:31", "id": "DEBIAN:DSA-3404-1:85AF5", "href": "https://lists.debian.org/debian-security-announce/2015/msg00309.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-21T22:41:57", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3404-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nNovember 25, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : python-django\nCVE ID : CVE-2015-8213\n\nRyan Butterfield discovered a vulnerability in the date template filter\nin python-django, a high-level Python web development framework. A\nremote attacker can take advantage of this flaw to obtain any secret in\nthe application's settings.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.4.5-1+deb7u14.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.7-1.\n\nWe recommend that you upgrade your python-django packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-11-25T17:32:31", "type": "debian", "title": "[SECURITY] [DSA 3404-1] python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-11-25T17:32:31", "id": "DEBIAN:DSA-3404-1:9DF59", "href": "https://lists.debian.org/debian-security-announce/2015/msg00309.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2021-10-21T04:44:56", "description": "Django is a high-level Python Web framework that encourages rapid\ndevelopment and a clean, pragmatic design. It focuses on automating as much\nas possible and adhering to the DRY (Don't Repeat Yourself) principle.\n\nAn information-exposure flaw was found in the Django date filter. If an\napplication allowed users to provide non-validated date formats, a\nmalicious end user could expose application-settings data by providing\nthe relevant applications-settings key instead of a valid date format. \n(CVE-2015-8213)\n\nRed Hat would like to thank the Django project for reporting this issue.\nUpstream acknowledges Ryan Butterfield as the original reporter.\n\nAll python-django users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct this issue.", "cvss3": {}, "published": "2016-03-08T06:31:21", "type": "redhat", "title": "(RHSA-2016:0360) Moderate: python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2018-03-19T12:27:05", "id": "RHSA-2016:0360", "href": "https://access.redhat.com/errata/RHSA-2016:0360", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-21T04:42:57", "description": "Django is a high-level Python Web framework that encourages rapid\ndevelopment and a clean, pragmatic design. It focuses on automating as much\nas possible and adhering to the DRY (Don't Repeat Yourself) principle.\n\nAn information-exposure flaw was found in the Django date filter. If an\napplication allowed users to provide non-validated date formats, a\nmalicious end user could expose application-settings data by providing\nthe relevant applications-settings key instead of a valid date format. \n(CVE-2015-8213)\n\nRed Hat would like to thank the Django project for reporting this issue.\nUpstream acknowledges Ryan Butterfield as the original reporter.\n\nAll python-django users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct this issue.", "cvss3": {}, "published": "2016-02-08T06:43:05", "type": "redhat", "title": "(RHSA-2016:0129) Moderate: python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2018-03-19T12:26:58", "id": "RHSA-2016:0129", "href": "https://access.redhat.com/errata/RHSA-2016:0129", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-19T20:41:10", "description": "Django is a high-level Python Web framework that encourages rapid\ndevelopment and a clean, pragmatic design. It focuses on automating as much\nas possible and adhering to the DRY (Don't Repeat Yourself) principle.\n\nAn information-exposure flaw was found in the Django date filter. If an\napplication allowed users to provide non-validated date formats, a\nmalicious end user could expose application-settings data by providing\nthe relevant applications-settings key instead of a valid date format. \n(CVE-2015-8213)\n\nRed Hat would like to thank the Django project for reporting this issue.\nUpstream acknowledges Ryan Butterfield as the original reporter.\n\nAll python-django users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct this issue.", "cvss3": {}, "published": "2016-02-10T01:06:28", "type": "redhat", "title": "(RHSA-2016:0158) Moderate: python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2018-06-06T22:47:59", "id": "RHSA-2016:0158", "href": "https://access.redhat.com/errata/RHSA-2016:0158", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-21T04:44:32", "description": "Django is a high-level Python Web framework that encourages rapid\ndevelopment and a clean, pragmatic design. It focuses on automating as much\nas possible and adhering to the DRY (Don't Repeat Yourself) principle.\n\nAn information-exposure flaw was found in the Django date filter. If an\napplication allowed users to provide non-validated date formats, a\nmalicious end user could expose application-settings data by providing\nthe relevant applications-settings key instead of a valid date format. \n(CVE-2015-8213)\n\nRed Hat would like to thank the Django project for reporting this issue.\nUpstream acknowledges Ryan Butterfield as the original reporter.\n\nAll python-django users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct this issue.", "cvss3": {}, "published": "2016-02-10T01:06:18", "type": "redhat", "title": "(RHSA-2016:0157) Moderate: python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2018-03-19T12:26:41", "id": "RHSA-2016:0157", "href": "https://access.redhat.com/errata/RHSA-2016:0157", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-21T04:44:57", "description": "Django is a high-level Python Web framework that encourages rapid\ndevelopment and a clean, pragmatic design. It focuses on automating as much\nas possible and adhering to the DRY (Don't Repeat Yourself) principle.\n\nAn information-exposure flaw was found in the Django date filter. If an\napplication allowed users to provide non-validated date formats, a\nmalicious end user could expose application-settings data by providing\nthe relevant applications-settings key instead of a valid date format. \n(CVE-2015-8213)\n\nRed Hat would like to thank the Django project for reporting this issue.\nUpstream acknowledges Ryan Butterfield as the original reporter.\n\nAll python-django users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct this issue.", "cvss3": {}, "published": "2016-02-10T01:06:15", "type": "redhat", "title": "(RHSA-2016:0156) Moderate: python-django security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2018-03-19T12:27:10", "id": "RHSA-2016:0156", "href": "https://access.redhat.com/errata/RHSA-2016:0156", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nTim Graham reports:\n\nIf an application allows users to specify an unvalidated\n\t format for dates and passes this format to the date filter, e.g. {{\n\t last_updated|date:user_date_format }}, then a malicious user could\n\t obtain any secret in the application's settings by specifying a settings\n\t key instead of a date format. e.g. \"SECRET_KEY\" instead of \"j/m/Y\".\n\n\n", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "freebsd", "title": "django -- information leak vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-12-24T00:00:00", "id": "11C52BC6-97AA-11E5-B8DF-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/11c52bc6-97aa-11e5-b8df-14dae9d210b8.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format (CVE-2015-8213). \n", "cvss3": {}, "published": "2015-12-04T23:31:36", "type": "mageia", "title": "Updated python-django packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-12-04T23:31:36", "id": "MGASA-2015-0463", "href": "https://advisories.mageia.org/MGASA-2015-0463.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "gitlab": [{"lastseen": "2022-06-09T23:10:29", "description": "If an application allows users to specify an unvalidated format for dates and passes this format to the `date` filter, a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. `SECRET_KEY` instead of `j/m/Y`.", "cvss3": {}, "published": "2015-12-07T00:00:00", "type": "gitlab", "title": "Settings leak in date template filter", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-12-07T00:00:00", "id": "GITLAB-7D095365F7951016B48FBAE4DE71AFBF", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/pypi%2FDjango%2FCVE-2015-8213.yml/raw", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ubuntu": [{"lastseen": "2022-01-04T12:33:11", "description": "Ryan Butterfield discovered that Django incorrectly handled the date \ntemplate filter. A remote attacker could possibly use this issue to obtain \nsecrets from application settings.\n", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "ubuntu", "title": "Django vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-11-24T00:00:00", "id": "USN-2816-1", "href": "https://ubuntu.com/security/notices/USN-2816-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:56", "description": "Mageia Linux Local Security Checks mgasa-2015-0463", "cvss3": {}, "published": "2015-12-08T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0463", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310131147", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131147", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0463.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131147\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-12-08 11:03:40 +0200 (Tue, 08 Dec 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0463\");\n script_tag(name:\"insight\", value:\"If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format (CVE-2015-8213).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0463.html\");\n script_cve_id(\"CVE-2015-8213\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0463\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"python-django\", rpm:\"python-django~1.8.7~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:36:32", "description": "Ryan Butterfield discovered\na vulnerability in the date template filter in python-django, a high-level Python\nweb development framework. A remote attacker can take advantage of this\nflaw to obtain any secret in the application", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3404-1 (python-django - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703404", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703404", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3404.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3404-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703404\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-8213\");\n script_name(\"Debian Security Advisory DSA 3404-1 (python-django - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-25 00:00:00 +0100 (Wed, 25 Nov 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3404.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(7|8)\");\n script_tag(name:\"affected\", value:\"python-django on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.4.5-1+deb7u14.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.7-1.\n\nWe recommend that you upgrade your python-django packages.\");\n script_tag(name:\"summary\", value:\"Ryan Butterfield discovered\na vulnerability in the date template filter in python-django, a high-level Python\nweb development framework. A remote attacker can take advantage of this\nflaw to obtain any secret in the application's settings.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.4.5-1+deb7u14\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.4.5-1+deb7u14\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.7.7-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django-common\", ver:\"1.7.7-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.7.7-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3-django\", ver:\"1.7.7-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-24T12:53:21", "description": "Ryan Butterfield discovered\na vulnerability in the date template filter in python-django, a high-level Python\nweb development framework. A remote attacker can take advantage of this\nflaw to obtain any secret in the application", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3404-1 (python-django - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8213"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703404", "href": "http://plugins.openvas.org/nasl.php?oid=703404", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3404.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3404-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703404);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-8213\");\n script_name(\"Debian Security Advisory DSA 3404-1 (python-django - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-11-25 00:00:00 +0100 (Wed, 25 Nov 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3404.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"python-django on Debian Linux\");\n script_tag(name: \"insight\", value: \"Django is a high-level web application\nframework that loosely follows the model-view-controller design pattern.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 1.4.5-1+deb7u14.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.7-1.\n\nWe recommend that you upgrade your python-django packages.\");\n script_tag(name: \"summary\", value: \"Ryan Butterfield discovered\na vulnerability in the date template filter in python-django, a high-level Python\nweb development framework. A remote attacker can take advantage of this\nflaw to obtain any secret in the application's settings.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.4.5-1+deb7u14\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.4.5-1+deb7u14\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-django\", ver:\"1.7.7-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-django-common\", ver:\"1.7.7-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-django-doc\", ver:\"1.7.7-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python3-django\", ver:\"1.7.7-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:36:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-12-31T00:00:00", "type": "openvas", "title": "Fedora Update for python-django FEDORA-2015-323274", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5964", "CVE-2015-8213", "CVE-2015-5963"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310806925", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806925", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-django FEDORA-2015-323274\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806925\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-31 05:11:49 +0100 (Thu, 31 Dec 2015)\");\n script_cve_id(\"CVE-2015-8213\", \"CVE-2015-5963\", \"CVE-2015-5964\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python-django FEDORA-2015-323274\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-django'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python-django on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-323274\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174770.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n if ((res = isrpmvuln(pkg:\"python-django\", rpm:\"python-django~1.8.7~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:48:26", "description": "The get_format function in utils/formats.py in Django before 1.7.x before\n1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote\nattackers to obtain sensitive application secrets via a settings key in\nplace of a date/time format setting, as demonstrated by SECRET_KEY.", "cvss3": {}, "published": "2015-11-24T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8213", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-11-24T00:00:00", "id": "UB:CVE-2015-8213", "href": "https://ubuntu.com/security/CVE-2015-8213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-05-11T21:42:50", "description": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", "cvss3": {}, "published": "2015-12-07T20:59:00", "type": "osv", "title": "PYSEC-2015-11", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2021-09-01T08:35:41", "id": "OSV:PYSEC-2015-11", "href": "https://osv.dev/vulnerability/PYSEC-2015-11", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-04T04:58:57", "description": "\nRyan Butterfield discovered a vulnerability in the date template filter\nin python-django, a high-level Python web development framework. A\nremote attacker can take advantage of this flaw to obtain any secret in\nthe application's settings.\n\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.4.5-1+deb7u14.\n\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.7.7-1+deb8u3.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.7-1.\n\n\nWe recommend that you upgrade your python-django packages.\n\n\n", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "osv", "title": "python-django - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2022-07-04T02:52:28", "id": "OSV:DSA-3404-1", "href": "https://osv.dev/vulnerability/DSA-3404-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:47", "description": "If an application allows users to specify an unvalidated format for\ndates and passes this format to the date filter, e.g. {{\nlast_updated|date:user_date_format }}, then a malicious user could\nobtain any secret in the application's settings by specifying a settings\nkey instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".\n\nTo remedy this, the underlying function used by the date template\nfilter, django.utils.formats.get_format(), now only allows accessing the\ndate/time formatting settings.", "edition": 2, "cvss3": {}, "published": "2015-12-05T00:00:00", "type": "archlinux", "title": "python-django, python2-django: information leakage", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-12-05T00:00:00", "id": "ASA-201512-3", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-December/000460.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "debiancve": [{"lastseen": "2022-07-04T06:01:50", "description": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", "cvss3": {}, "published": "2015-12-07T20:59:00", "type": "debiancve", "title": "CVE-2015-8213", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2015-12-07T20:59:00", "id": "DEBIANCVE:CVE-2015-8213", "href": "https://security-tracker.debian.org/tracker/CVE-2015-8213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:13:41", "description": "The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.", "cvss3": {}, "published": "2015-12-07T20:59:00", "type": "cve", "title": "CVE-2015-8213", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8213"], "modified": "2016-12-07T18:26:00", "cpe": ["cpe:/a:djangoproject:django:1.8.0", "cpe:/a:djangoproject:django:1.8.5", "cpe:/a:djangoproject:django:1.9.0", "cpe:/a:djangoproject:django:1.8.6", "cpe:/a:djangoproject:django:1.8.1", "cpe:/a:djangoproject:django:1.8.3", "cpe:/a:djangoproject:django:1.8.2", "cpe:/a:djangoproject:django:1.7.10", "cpe:/a:djangoproject:django:1.8.4"], "id": "CVE-2015-8213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8213", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. ", "cvss3": {}, "published": "2015-12-31T01:53:36", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: python-django-1.8.7-1.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5963", "CVE-2015-5964", "CVE-2015-8213"], "modified": "2015-12-31T01:53:36", "id": "FEDORA:89CAD6002D6D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UK2JFMX4I4FDKGUEPNJGCAC2BZR4ZVMS/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}

[SECURITY] Fedora 23 Update: python-django-1.8.7-1.fc23

Description

Affected Package

Related