Description

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

Remediation

References

CVE-2016-9014

Related Vulnerabilities

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-3742)

PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-2101)

Lodash CVE-2018-16487 Vulnerability (CVE-2018-16487)

MySQL CVE-2020-14597 Vulnerability (CVE-2020-14597)

Oracle Database Server CVE-2010-0902 Vulnerability (CVE-2010-0902)

Severity

High

Classification

CVE-2016-9014 CWE-264 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities