{"id":"CVE-2016-9014","details":"Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.","aliases":["GHSA-3f2c-jm6v-cr35","PYSEC-2016-18"],"modified":"2026-05-28T04:03:32.479166541Z","published":"2016-12-09T20:59:06.970Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*"],"vendor_product":"canonical:ubuntu_linux","source":"CPE_STRING","extracted_events":[{"last_affected":"12.04"},{"last_affected":"14.04"},{"last_affected":"16.04"},{"last_affected":"16.10"}]},{"cpes":["cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*"],"vendor_product":"fedoraproject:fedora","source":"CPE_STRING","extracted_events":[{"last_affected":"24"},{"last_affected":"25"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3835"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94068"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037159"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3115-1"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"last_affected":"6a0dc2176f4ebf907e124d433411e52bba39a28e"},{"last_affected":"e3c9412d86c3c394e2604e63f3b51c102ae3e3d7"},{"last_affected":"449d1effb81152e54f482784cf7febe965007096"},{"last_affected":"4217f1cdeb070707e54fec8221b9e63e3957ef38"},{"last_affected":"acc3c1df8474f424b2f179bac03d0e9a6bc9aba0"},{"last_affected":"b35adb0909b25a7dafc9212ddedfbf9b29dc05b8"},{"last_affected":"80b7e9d09f2d23209b591288f9b2cf3eb3d927c8"},{"last_affected":"8dd33d429892fc06cc9aa655012491f029f5f491"},{"last_affected":"a1f5bafac51f973cc7219d3b7c96587fe7066920"},{"last_affected":"c982190acf7bcfba5e78a7505a45774916865569"},{"last_affected":"ef08d8cf9e0d1ca62c6c291575d9e306cb09afcb"},{"last_affected":"a98e00f06834e5fdc945c2aca2c3498efb06ac7d"},{"last_affected":"c168aeba175dbb92c615460a360cb1ea978de5d3"},{"last_affected":"4022b2c306e88a4ab7f80507e736ce7ac7d01186"},{"last_affected":"9fbdc48c493f43961173bab8f23d633ab41a9608"},{"last_affected":"25e416ca0f3ea6035c8d797dcc9604bc32202268"},{"last_affected":"9d67bfadf897d4eb082b398fe9482fc6753c7bf2"},{"last_affected":"bd97496d07466f3a940e2fcc114b540ca01cd340"},{"last_affected":"e99ebfcc140a5f794e259994f9252cb440459143"},{"last_affected":"3df8ccf6fc3fa0ab2acf9a03da43fea87f8ff392"},{"last_affected":"e70a309c428cfd4e600dc9fa0c7269b1e7a8efcd"},{"last_affected":"c00335997744196738368f46c30ef2eeaa0ac849"},{"last_affected":"37935743edbf60201adb1b53b56b8cafa754c69a"},{"last_affected":"dafddb6b8c0eb778072bec1ccd536bafad0eb936"},{"last_affected":"b29316c54bb3465265ff931e807229f13349457d"},{"last_affected":"6e749c21e77dc74af068c8e943a6e6850ae0bb24"},{"last_affected":"8a2a3a63b83375d9322c077b6356007e0bef5939"},{"last_affected":"2234d1f08d079a3e4be4f1a89847dc294a4a5c1a"},{"last_affected":"e8bb7464c562388da48bca04c5996fe16a0c3619"},{"last_affected":"f49602ad46b447c5a27d47b0e89b3440109211a4"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.8"},{"last_affected":"1.8.1"},{"last_affected":"1.8.2"},{"last_affected":"1.8.3"},{"last_affected":"1.8.4"},{"last_affected":"1.8.5"},{"last_affected":"1.8.6"},{"last_affected":"1.8.7"},{"last_affected":"1.8.8"},{"last_affected":"1.8.9"},{"last_affected":"1.8.10"},{"last_affected":"1.8.11"},{"last_affected":"1.8.12"},{"last_affected":"1.8.13"},{"last_affected":"1.8.14"},{"last_affected":"1.8.15"},{"last_affected":"1.10"},{"last_affected":"1.10.1"},{"last_affected":"1.10.2"},{"last_affected":"1.9"},{"last_affected":"1.9.1"},{"last_affected":"1.9.2"},{"last_affected":"1.9.3"},{"last_affected":"1.9.4"},{"last_affected":"1.9.5"},{"last_affected":"1.9.6"},{"last_affected":"1.9.7"},{"last_affected":"1.9.8"},{"last_affected":"1.9.9"},{"last_affected":"1.9.10"}],"cpe":["cpe:2.3:a:djangoproject:django:1.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.10:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.11:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.12:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.13:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.14:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.15:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["stable/1.8.x","1.8.19","stable/1.10.x","stable/1.9.x","1.10.8","1.8.18","1.9.13","1.10.7","1.10.6","1.10.5","1.10.4","1.9.12","1.8.17","1.8.16","1.9.11","1.10.3","1.10.2","1.9.10","1.8.15","1.10.1","1.10","1.9.9","1.10rc1","1.8.14","1.9.8","1.10b1","1.9.7","1.10a1","1.8.13","1.9.6","1.8.12","1.9.5","1.8.11","1.9.4","1.8.10","1.9.3","1.9.2","1.8.9","1.8.8","1.9.1","1.9","1.9rc2","1.8.7","1.9rc1","1.8.6","1.9b1","1.8.5","1.9a1","1.8.4","1.8.3","1.8.2","1.8.1","1.8","1.8c1","1.8b2","1.8b1","1.8a1","1.7a2","1.4","1.3","1.2.1","1.2","1.1","1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9014.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}