CVE-2016-9014
python-django - security update
8.1
HIGH
CVSS 3.1
EPSS 3.7%
Description
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
How to fix CVE-2016-9014
To remediate CVE-2016-9014, upgrade the affected package to a fixed version below.
- Alpine/py3-django—upgrade to 1.8.16-r0 or later
- —upgrade to 1.8.16-r0 or later
- —upgrade to 1:1.10.3-1 or later
- —upgrade to 1.4.22-1+deb7u2 or later
- —upgrade to 1.8.16 or later
- —upgrade to 1.8.16 or later
Is CVE-2016-9014 being exploited?
Low — EPSS is 3.7%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1.8.16-r0
- from 0, < 1.8.16-r0
- from 0, < 1:1.10.3-1
- from 0, < 1.4.22-1+deb7u2
- >= 1.8a1, < 1.8.16
- from 0, < 1.8.16, >= 1.9, < 1.9.11, >= 1.10, < 1.10.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |