CVE-2016-9014Django vulnerability

CWE-26413 documents8 sources
Severity
8.1HIGHNVD
EPSS
3.0%
top 13.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Djangoproject DjangoCanonical Ubuntu LinuxFedoraproject Fedora
Timeline
PublishedDec 9
Latest updateMay 17

Description

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

PyPIdjangoproject/django1.8a11.8.16+2
NVDdjangoproject/django30 versions+29

Also affects: Fedora 24, 25, Ubuntu Linux 12.04, 14.04, 16.04, 16.10

🔴Vulnerability Details

5
OSV
Django DNS Rebinding Vulnerability2022-05-17
GHSA
Django DNS Rebinding Vulnerability2022-05-17
CVEList
CVE-2016-9014: Django before 12016-12-09
OSV
CVE-2016-9014: Django before 12016-12-09
OSV
python-django vulnerabilities2016-11-01

📋Vendor Advisories

3
Red Hat
python-django: DNS rebinding vulnerability when 'DEBUG=True'2016-11-01
Ubuntu
Django vulnerabilities2016-11-01
Debian
CVE-2016-9014: python-django - Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3...2016

💬Community

4
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]2016-11-01
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]2016-11-01
Bugzilla
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]2016-11-01
Bugzilla
CVE-2016-9014 python-django: DNS rebinding vulnerability when 'DEBUG=True'2016-10-27
CVE-2016-9014 — Djangoproject Django vulnerability | cvebase