CVE-2016-9014
published 2016-12-09CVE-2016-9014: Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding…
PriorityP347high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
6.07%
92.5th percentile
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1:1.10.3-1 (bookworm) | python-django 1:1.10.3-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django DNS Rebinding Vulnerability
osv·2022-05-17
CVE-2016-9014 [CRITICAL] Django DNS Rebinding Vulnerability
Django DNS Rebinding Vulnerability
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
GHSA
Django DNS Rebinding Vulnerability
ghsa·2022-05-17
CVE-2016-9014 [CRITICAL] Django DNS Rebinding Vulnerability
Django DNS Rebinding Vulnerability
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
OSV
CVE-2016-9014: Django before 1
osv·2016-12-09·CVSS 8.1
CVE-2016-9014 [HIGH] CVE-2016-9014: Django before 1
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
OSV
python-django vulnerabilities
osv·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] python-django vulnerabilities
python-django vulnerabilities
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
Red Hat
python-django: DNS rebinding vulnerability when 'DEBUG=True'
vendor_redhat·2016-11-01·CVSS 8.1
CVE-2016-9014 [HIGH] python-django: DNS rebinding vulnerability when 'DEBUG=True'
python-django: DNS rebinding vulnerability when 'DEBUG=True'
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Package: calamari-server (Red Hat Ceph Storage 1.3) - Will not fix
Package: python-django (Red Hat Ceph Storage 2) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platfo
Ubuntu
Django vulnerabilities
vendor_ubuntu·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)
Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2016-9014: python-django - Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3...
vendor_debian·2016·CVSS 8.1
CVE-2016-9014 [HIGH] CVE-2016-9014: python-django - Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3...
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Scope: local
bookworm: resolved (fixed in 1:1.10.3-1)
bullseye: resolved (fixed in 1:1.10.3-1)
forky: resolved (fixed in 1:1.10.3-1)
sid: resolved (fixed in 1:1.10.3-1)
trixie: resolved (fixed in 1:1.10.3-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Bugzilla
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
CVE-2016-9013 CVE-2016-9014 python-django: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
Bugzilla
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
bugzilla·2016-11-01·CVSS 9.8
CVE-2016-9013 [CRITICAL] CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
CVE-2016-9013 CVE-2016-9014 Django14: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use
Bugzilla
CVE-2016-9014 python-django: DNS rebinding vulnerability when 'DEBUG=True'
bugzilla·2016-10-27·CVSS 8.1
CVE-2016-9014 [HIGH] CVE-2016-9014 python-django: DNS rebinding vulnerability when 'DEBUG=True'
CVE-2016-9014 python-django: DNS rebinding vulnerability when 'DEBUG=True'
The following flaw was reported in Django:
Older versions of Django don't validate the 'Host' header against 'settings.ALLOWED_HOSTS' when 'settings.DEBUG=True'. This makes them vulnerable to a DNS rebinding attack:
http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/
While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the 'django-debug-toolbar', then the attacker could execute arbitrary SQL, which could
http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/94068http://www.securitytracker.com/id/1037159http://www.ubuntu.com/usn/USN-3115-1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/https://www.djangoproject.com/weblog/2016/nov/01/security-releases/http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/94068http://www.securitytracker.com/id/1037159http://www.ubuntu.com/usn/USN-3115-1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
2016-12-09
Published