{"id":"CVE-2016-9014","details":"Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.","aliases":["GHSA-3f2c-jm6v-cr35","PYSEC-2016-18"],"modified":"2026-04-16T06:17:27.888977480Z","published":"2016-12-09T20:59:06.970Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3835"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94068"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037159"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-3115-1"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"last_affected":"6a0dc2176f4ebf907e124d433411e52bba39a28e"},{"introduced":"0"},{"last_affected":"e3c9412d86c3c394e2604e63f3b51c102ae3e3d7"},{"introduced":"0"},{"last_affected":"449d1effb81152e54f482784cf7febe965007096"},{"introduced":"0"},{"last_affected":"4217f1cdeb070707e54fec8221b9e63e3957ef38"},{"introduced":"0"},{"last_affected":"acc3c1df8474f424b2f179bac03d0e9a6bc9aba0"},{"introduced":"0"},{"last_affected":"b35adb0909b25a7dafc9212ddedfbf9b29dc05b8"},{"introduced":"0"},{"last_affected":"80b7e9d09f2d23209b591288f9b2cf3eb3d927c8"},{"introduced":"0"},{"last_affected":"8dd33d429892fc06cc9aa655012491f029f5f491"},{"introduced":"0"},{"last_affected":"a1f5bafac51f973cc7219d3b7c96587fe7066920"},{"introduced":"0"},{"last_affected":"c982190acf7bcfba5e78a7505a45774916865569"},{"introduced":"0"},{"last_affected":"ef08d8cf9e0d1ca62c6c291575d9e306cb09afcb"},{"introduced":"0"},{"last_affected":"a98e00f06834e5fdc945c2aca2c3498efb06ac7d"},{"introduced":"0"},{"last_affected":"c168aeba175dbb92c615460a360cb1ea978de5d3"},{"introduced":"0"},{"last_affected":"4022b2c306e88a4ab7f80507e736ce7ac7d01186"},{"introduced":"0"},{"last_affected":"9fbdc48c493f43961173bab8f23d633ab41a9608"},{"introduced":"0"},{"last_affected":"25e416ca0f3ea6035c8d797dcc9604bc32202268"},{"introduced":"0"},{"last_affected":"9d67bfadf897d4eb082b398fe9482fc6753c7bf2"},{"introduced":"0"},{"last_affected":"bd97496d07466f3a940e2fcc114b540ca01cd340"},{"introduced":"0"},{"last_affected":"e99ebfcc140a5f794e259994f9252cb440459143"},{"introduced":"0"},{"last_affected":"3df8ccf6fc3fa0ab2acf9a03da43fea87f8ff392"},{"introduced":"0"},{"last_affected":"e70a309c428cfd4e600dc9fa0c7269b1e7a8efcd"},{"introduced":"0"},{"last_affected":"c00335997744196738368f46c30ef2eeaa0ac849"},{"introduced":"0"},{"last_affected":"37935743edbf60201adb1b53b56b8cafa754c69a"},{"introduced":"0"},{"last_affected":"dafddb6b8c0eb778072bec1ccd536bafad0eb936"},{"introduced":"0"},{"last_affected":"b29316c54bb3465265ff931e807229f13349457d"},{"introduced":"0"},{"last_affected":"6e749c21e77dc74af068c8e943a6e6850ae0bb24"},{"introduced":"0"},{"last_affected":"8a2a3a63b83375d9322c077b6356007e0bef5939"},{"introduced":"0"},{"last_affected":"2234d1f08d079a3e4be4f1a89847dc294a4a5c1a"},{"introduced":"0"},{"last_affected":"e8bb7464c562388da48bca04c5996fe16a0c3619"},{"introduced":"0"},{"last_affected":"f49602ad46b447c5a27d47b0e89b3440109211a4"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.8"},{"introduced":"0"},{"last_affected":"1.8.1"},{"introduced":"0"},{"last_affected":"1.8.2"},{"introduced":"0"},{"last_affected":"1.8.3"},{"introduced":"0"},{"last_affected":"1.8.4"},{"introduced":"0"},{"last_affected":"1.8.5"},{"introduced":"0"},{"last_affected":"1.8.6"},{"introduced":"0"},{"last_affected":"1.8.7"},{"introduced":"0"},{"last_affected":"1.8.8"},{"introduced":"0"},{"last_affected":"1.8.9"},{"introduced":"0"},{"last_affected":"1.8.10"},{"introduced":"0"},{"last_affected":"1.8.11"},{"introduced":"0"},{"last_affected":"1.8.12"},{"introduced":"0"},{"last_affected":"1.8.13"},{"introduced":"0"},{"last_affected":"1.8.14"},{"introduced":"0"},{"last_affected":"1.8.15"},{"introduced":"0"},{"last_affected":"1.10"},{"introduced":"0"},{"last_affected":"1.10.1"},{"introduced":"0"},{"last_affected":"1.10.2"},{"introduced":"0"},{"last_affected":"1.9"},{"introduced":"0"},{"last_affected":"1.9.1"},{"introduced":"0"},{"last_affected":"1.9.2"},{"introduced":"0"},{"last_affected":"1.9.3"},{"introduced":"0"},{"last_affected":"1.9.4"},{"introduced":"0"},{"last_affected":"1.9.5"},{"introduced":"0"},{"last_affected":"1.9.6"},{"introduced":"0"},{"last_affected":"1.9.7"},{"introduced":"0"},{"last_affected":"1.9.8"},{"introduced":"0"},{"last_affected":"1.9.9"},{"introduced":"0"},{"last_affected":"1.9.10"}]}}],"versions":["1.0","1.1","1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.10.7","1.10.8","1.10a1","1.10b1","1.10rc1","1.2","1.2.1","1.3","1.4","1.7a2","1.8","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.18","1.8.19","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","1.8a1","1.8b1","1.8b2","1.8c1","1.9","1.9.1","1.9.10","1.9.11","1.9.12","1.9.13","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9","1.9a1","1.9b1","1.9rc1","1.9rc2","stable/1.10.x","stable/1.8.x","stable/1.9.x"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9014.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"24"}]},{"events":[{"introduced":"0"},{"last_affected":"25"}]},{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}