VDB
PYSEC-2016-18
PYSEC-2016-18
PUBLISHED
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | django | 0, 1.9, 1.10 |
Timeline
- Dec 9, 2016 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/ url
- http://www.securitytracker.com/id/1037159 url
- http://www.ubuntu.com/usn/USN-3115-1 advisory
- https://www.djangoproject.com/weblog/2016/nov/01/security-releases/ article
- http://www.securityfocus.com/bid/94068 url
- http://www.debian.org/security/2017/dsa-3835 advisory