DNS Rebinding Affecting django package, versions [,1.8.16) [1.9,1.9.11) [1.10,1.10.3)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-40440
- published 2 Nov 2016
- disclosed 2 Nov 2016
- credit Aymeric Augustin
Introduced: 2 Nov 2016
CVE-2016-9014 Open this link in a new tabOverview
django
is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to DNS Rebinding attacks. When settings.DEBUG
is set to True
, it fails to validate the HTTP Host header against settings.ALLOWED_HOSTS
making it possible to manipulate the host header. This is at least cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance. Also, if a project uses a package like the django-debug-toolbar
, the attacker could also execute arbitrary SQL.