CVE-2016-9014
First published: Fri Dec 09 2016(Updated: )
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Django | >=1.10a1<1.10.3 | 1.10.3 |
| pip/Django | >=1.9a1<1.9.11 | 1.9.11 |
| pip/Django | >=1.8a1<1.8.16 | 1.8.16 |
| Fedoraproject Fedora | =24 | |
| Fedoraproject Fedora | =25 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =16.10 | |
| djangoproject Django | =1.8 | |
| djangoproject Django | =1.8.1 | |
| djangoproject Django | =1.8.2 | |
| djangoproject Django | =1.8.3 | |
| djangoproject Django | =1.8.4 | |
| djangoproject Django | =1.8.5 | |
| djangoproject Django | =1.8.6 | |
| djangoproject Django | =1.8.7 | |
| djangoproject Django | =1.8.8 | |
| djangoproject Django | =1.8.9 | |
| djangoproject Django | =1.8.10 | |
| djangoproject Django | =1.8.11 | |
| djangoproject Django | =1.8.12 | |
| djangoproject Django | =1.8.13 | |
| djangoproject Django | =1.8.14 | |
| djangoproject Django | =1.8.15 | |
| djangoproject Django | =1.10 | |
| djangoproject Django | =1.10.1 | |
| djangoproject Django | =1.10.2 | |
| djangoproject Django | =1.9 | |
| djangoproject Django | =1.9.1 | |
| djangoproject Django | =1.9.2 | |
| djangoproject Django | =1.9.3 | |
| djangoproject Django | =1.9.4 | |
| djangoproject Django | =1.9.5 | |
| djangoproject Django | =1.9.6 | |
| djangoproject Django | =1.9.7 | |
| djangoproject Django | =1.9.8 | |
| djangoproject Django | =1.9.9 | |
| djangoproject Django | =1.9.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2017/dsa-3835
- http://www.securityfocus.com/bid/94068
- http://www.securitytracker.com/id/1037159
- http://www.ubuntu.com/usn/USN-3115-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
- https://nvd.nist.gov/vuln/detail/CVE-2016-9014
- https://web.archive.org/web/20210123185619/http://www.securityfocus.com/bid/94068
- https://web.archive.org/web/20211204043252/http://www.securitytracker.com/id/1037159
- https://github.com/django/django/commit/45acd6d836895a4c36575f48b3fb36a3dae98d19
- https://github.com/django/django/commit/884e113838e5a72b4b0ec9e5e87aa480f6aa4472
- https://github.com/django/django/commit/c401ae9a7dfb1a94a8a61927ed541d6f93089587
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases
- https://github.com/advisories/GHSA-3f2c-jm6v-cr35 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-18.yaml
- agent/author
- agent/type
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3f2c-jm6v-cr35
- alias/CVE-2016-9014
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/24
- version/fedoraproject fedora/25
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/16.10
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.8
- version/djangoproject django/1.8.1
- version/djangoproject django/1.8.2
- version/djangoproject django/1.8.3
- version/djangoproject django/1.8.4
- version/djangoproject django/1.8.5
- version/djangoproject django/1.8.6
- version/djangoproject django/1.8.7
- version/djangoproject django/1.8.8
- version/djangoproject django/1.8.9
- version/djangoproject django/1.8.10
- version/djangoproject django/1.8.11
- version/djangoproject django/1.8.12
- version/djangoproject django/1.8.13
- version/djangoproject django/1.8.14
- version/djangoproject django/1.8.15
- version/djangoproject django/1.10
- version/djangoproject django/1.10.1
- version/djangoproject django/1.10.2
- version/djangoproject django/1.9
- version/djangoproject django/1.9.1
- version/djangoproject django/1.9.2
- version/djangoproject django/1.9.3
- version/djangoproject django/1.9.4
- version/djangoproject django/1.9.5
- version/djangoproject django/1.9.6
- version/djangoproject django/1.9.7
- version/djangoproject django/1.9.8
- version/djangoproject django/1.9.9
- version/djangoproject django/1.9.10