CVE-2015-8213: Settings leak in date template filter
(updated )
If an application allows users to specify an unvalidated format for dates and passes this format to the date
filter, a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. SECRET_KEY
instead of j/m/Y
.
References
Detect and mitigate CVE-2015-8213 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →