Vulnerability Description
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | Fedora | 24 |
| Canonical | Ubuntu Linux | 12.04 |
| Djangoproject | Django | 1.8 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94068Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037159Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3115-1Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/Release NotesVendor Advisory
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94068Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037159Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-3115-1Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/Release NotesVendor Advisory
FAQ
What is CVE-2016-9014?
CVE-2016-9014 is a vulnerability with a CVSS score of 8.1 (HIGH). Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate...
How severe is CVE-2016-9014?
CVE-2016-9014 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9014?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Canonical Ubuntu Linux, Djangoproject Django.