Access Restriction Bypass Affecting python-django package, versions <1:1.10.3-1
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
1.66% (88th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-PYTHONDJANGO-517295
- published 9 Dec 2016
- disclosed 9 Dec 2016
Introduced: 9 Dec 2016
CVE-2016-9014 Open this link in a new tabHow to fix?
Upgrade Debian:11
python-django
to version 1:1.10.3-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-django
package and not the python-django
package as distributed by Debian
.
See How to fix?
for Debian:11
relevant fixed versions and status.
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
References
- https://security-tracker.debian.org/tracker/CVE-2016-9014
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9014
- http://www.debian.org/security/2017/dsa-3835
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
- http://www.securityfocus.com/bid/94068
- http://www.securitytracker.com/id/1037159
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9014
- http://www.ubuntu.com/usn/USN-3115-1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/