Access Restriction Bypass

Affecting python-django package, versions <1.8.7-1ubuntu5.4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream python-django package. See Remediation section below for Ubuntu:16.04 relevant versions.

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

Remediation

Upgrade Ubuntu:16.04 python-django to version 1.8.7-1ubuntu5.4 or higher.

References

CVSS Score

8.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2016-9014
CWE
CWE-264
Snyk ID
SNYK-UBUNTU1604-PYTHONDJANGO-361009
Disclosed
09 Dec, 2016
Published
09 Dec, 2016