{"id":"GHSA-3f2c-jm6v-cr35","summary":"Django DNS Rebinding Vulnerability","details":"Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.","aliases":["CVE-2016-9014","PYSEC-2016-18"],"modified":"2024-11-28T05:40:34.800491Z","published":"2022-05-17T00:27:18Z","database_specific":{"github_reviewed_at":"2023-07-31T22:41:12Z","severity":"CRITICAL","github_reviewed":true,"cwe_ids":[],"nvd_published_at":"2016-12-09T20:59:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9014"},{"type":"WEB","url":"https://github.com/django/django/commit/45acd6d836895a4c36575f48b3fb36a3dae98d19"},{"type":"WEB","url":"https://github.com/django/django/commit/884e113838e5a72b4b0ec9e5e87aa480f6aa4472"},{"type":"WEB","url":"https://github.com/django/django/commit/c401ae9a7dfb1a94a8a61927ed541d6f93089587"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-18.yaml"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S"},{"type":"WEB","url":"https://web.archive.org/web/20210123185619/http://www.securityfocus.com/bid/94068"},{"type":"WEB","url":"https://web.archive.org/web/20211204043252/http://www.securitytracker.com/id/1037159"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2016/nov/01/security-releases"},{"type":"WEB","url":"http://www.debian.org/security/2017/dsa-3835"},{"type":"WEB","url":"http://www.ubuntu.com/usn/USN-3115-1"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.8a1"},{"fixed":"1.8.16"}]}],"versions":["1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.8a1","1.8b1","1.8b2","1.8c1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3f2c-jm6v-cr35/GHSA-3f2c-jm6v-cr35.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.9a1"},{"fixed":"1.9.11"}]}],"versions":["1.9","1.9.1","1.9.10","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","1.9a1","1.9b1","1.9rc1","1.9rc2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3f2c-jm6v-cr35/GHSA-3f2c-jm6v-cr35.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.10a1"},{"fixed":"1.10.3"}]}],"versions":["1.10","1.10.1","1.10.2","1.10a1","1.10b1","1.10rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3f2c-jm6v-cr35/GHSA-3f2c-jm6v-cr35.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}