CVE-2016-9014

HIGH

Django <1.8.16-1.10.3 - Server-Side Request Forgery

Title source: manual
STIX 2.1

Description

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

References (7)

Core 7
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94068
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3835
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3115-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037159

Scores

CVSS v3 8.1
EPSS 0.0607
EPSS Percentile 92.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-264
Status published
Products (37)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 16.10
djangoproject/django 1.8
djangoproject/django 1.8.1
djangoproject/django 1.8.2
djangoproject/django 1.8.3
djangoproject/django 1.8.4
djangoproject/django 1.8.5
... and 27 more
Published Dec 09, 2016
Tracked Since Feb 18, 2026