{"id":"CVE-2016-9014","details":"Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.","aliases":["GHSA-3f2c-jm6v-cr35","PYSEC-2016-18"],"modified":"2026-07-08T05:48:31.413103720Z","published":"2016-12-09T20:59:06.970Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","vendor_product":"canonical:ubuntu_linux","extracted_events":[{"introduced":"12.04"},{"last_affected":"12.04"},{"introduced":"14.04"},{"last_affected":"14.04"},{"introduced":"16.04"},{"last_affected":"16.04"},{"introduced":"16.10"},{"last_affected":"16.10"}],"cpes":["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"fedoraproject:fedora","extracted_events":[{"introduced":"24"},{"last_affected":"24"},{"introduced":"25"},{"last_affected":"25"}],"cpes":["cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3835"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94068"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037159"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3115-1"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"6a0dc2176f4ebf907e124d433411e52bba39a28e"},{"last_affected":"f49602ad46b447c5a27d47b0e89b3440109211a4"}],"database_specific":{"cpe":["cpe:2.3:a:djangoproject:django:1.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.10:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.11:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.12:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.13:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.14:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.8.15:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*","cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"1.8"},{"last_affected":"1.8"},{"introduced":"1.8.1"},{"last_affected":"1.8.1"},{"introduced":"1.8.2"},{"last_affected":"1.8.2"},{"introduced":"1.8.3"},{"last_affected":"1.8.3"},{"introduced":"1.8.4"},{"last_affected":"1.8.4"},{"introduced":"1.8.5"},{"last_affected":"1.8.5"},{"introduced":"1.8.6"},{"last_affected":"1.8.6"},{"introduced":"1.8.7"},{"last_affected":"1.8.7"},{"introduced":"1.8.8"},{"last_affected":"1.8.8"},{"introduced":"1.8.9"},{"last_affected":"1.8.9"},{"introduced":"1.8.10"},{"last_affected":"1.8.10"},{"introduced":"1.8.11"},{"last_affected":"1.8.11"},{"introduced":"1.8.12"},{"last_affected":"1.8.12"},{"introduced":"1.8.13"},{"last_affected":"1.8.13"},{"introduced":"1.8.14"},{"last_affected":"1.8.14"},{"introduced":"1.8.15"},{"last_affected":"1.8.15"},{"introduced":"1.10"},{"last_affected":"1.10"},{"introduced":"1.10.1"},{"last_affected":"1.10.1"},{"introduced":"1.10.2"},{"last_affected":"1.10.2"},{"introduced":"1.9"},{"last_affected":"1.9"},{"introduced":"1.9.1"},{"last_affected":"1.9.1"},{"introduced":"1.9.2"},{"last_affected":"1.9.2"},{"introduced":"1.9.3"},{"last_affected":"1.9.3"},{"introduced":"1.9.4"},{"last_affected":"1.9.4"},{"introduced":"1.9.5"},{"last_affected":"1.9.5"},{"introduced":"1.9.6"},{"last_affected":"1.9.6"},{"introduced":"1.9.7"},{"last_affected":"1.9.7"},{"introduced":"1.9.8"},{"last_affected":"1.9.8"},{"introduced":"1.9.9"},{"last_affected":"1.9.9"},{"introduced":"1.9.10"},{"last_affected":"1.9.10"}]}}],"versions":["1.10","1.10.1","1.10.2","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.9","1.9.1","1.9.10","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9014.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}