DNS Rebinding Affecting django package, versions [,1.8.16) [1.9,1.9.11) [1.10,1.10.3)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-40440
- published 2 Nov 2016
- disclosed 2 Nov 2016
- credit Aymeric Augustin
Introduced: 2 Nov 2016
CVE-2016-9014 Open this link in a new tabOverview
django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to DNS Rebinding attacks. When settings.DEBUG is set to True, it fails to validate the HTTP Host header against settings.ALLOWED_HOSTS making it possible to manipulate the host header. This is at least cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance. Also, if a project uses a package like the django-debug-toolbar, the attacker could also execute arbitrary SQL.