{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-01T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}, {"name": "FEDORA-2016-d4571bf555", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"}, {"name": "94068", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94068"}, {"name": "DSA-3835", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3835"}, {"name": "USN-3115-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3115-1"}, {"name": "1037159", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1037159"}, {"name": "FEDORA-2016-3eb5a55123", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9014", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}, {"name": "FEDORA-2016-d4571bf555", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"}, {"name": "94068", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94068"}, {"name": "DSA-3835", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3835"}, {"name": "USN-3115-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3115-1"}, {"name": "1037159", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037159"}, {"name": "FEDORA-2016-3eb5a55123", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:35:02.332Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}, {"name": "FEDORA-2016-d4571bf555", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"}, {"name": "94068", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94068"}, {"name": "DSA-3835", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3835"}, {"name": "USN-3115-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-3115-1"}, {"name": "1037159", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1037159"}, {"name": "FEDORA-2016-3eb5a55123", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9014", "datePublished": "2016-12-09T20:00:00.000Z", "dateReserved": "2016-10-25T00:00:00.000Z", "dateUpdated": "2024-08-06T02:35:02.332Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*", "matchCriteriaId": "C729D5D1-ED95-443A-9F53-5D7C2FD9B80C", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*", "matchCriteriaId": "772E9557-A371-4664-AE2D-4135AAEB89AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*", "matchCriteriaId": "1AFB20FA-CB00-4729-AB3A-816454C6D096", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.8:*:*:*:*:*:*:*", "matchCriteriaId": "6BCCB794-1F30-4FC2-A63A-BCE7539BE5DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "2510BAD7-1FB6-4F6F-A2CC-9DE9AD39B4FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*", "matchCriteriaId": "D1B388C7-ED4E-4416-969F-32263E7D7AA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "63D36984-4C8E-4CDB-8D15-445705FCECF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*", "matchCriteriaId": "3B324AE6-ADD8-41B9-B250-A6577ACBB364", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*", "matchCriteriaId": "F6487058-6768-4AD3-BE27-A0B3D1ACFC08", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*", "matchCriteriaId": "0CFF0538-B111-44A8-ADC2-87E280186257", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.7:*:*:*:*:*:*:*", "matchCriteriaId": "C3343FF8-53EC-459D-B31C-CD363D04FF42", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.8:*:*:*:*:*:*:*", "matchCriteriaId": "B9B637E9-067A-4473-9B50-433CCC177982", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*", "matchCriteriaId": "99A5BF6D-631B-4C8E-9868-579BD79100C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.10:*:*:*:*:*:*:*", "matchCriteriaId": "280B9958-9163-4126-910A-2EF4B408DFCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.11:*:*:*:*:*:*:*", "matchCriteriaId": "6A40373B-301E-4B81-8FA5-28D916142F59", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.12:*:*:*:*:*:*:*", "matchCriteriaId": "79BB3174-7859-4195-B7B3-BCAA280A6F80", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.13:*:*:*:*:*:*:*", "matchCriteriaId": "42EF41AF-B2FA-468A-B161-D9FE29CE53EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.14:*:*:*:*:*:*:*", "matchCriteriaId": "48DF0100-F98E-4997-A8F7-DC07FA4A06D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.8.15:*:*:*:*:*:*:*", "matchCriteriaId": "ECDC5647-8EA7-4595-88C2-541BC489ED2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.10:*:*:*:*:*:*:*", "matchCriteriaId": "FE21DA5F-C086-4E98-A5DD-2B96731B56D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "2CE31960-7C68-42F3-B215-B30A87DB67CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "B3838B8E-8F0E-4F7A-88E6-FFF2590E5302", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*", "matchCriteriaId": "29C40BAC-6DF3-4EA2-A65A-86462DDD8723", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "6B754401-8503-4553-853F-4F6BCD2D2FF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "019C26C7-EF1F-45BB-934E-521E2E64452E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "A18691A7-E4D0-48A4-81A7-89846E991AF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "7C06EBD9-381E-4018-BFDC-E23EA18097B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "7D134048-B64F-45AE-B4A2-26E516CCF37B", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "0F39B83A-C10B-4B88-9491-2FB8B07D6EA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*", "matchCriteriaId": "64A4030E-F51F-4944-BCE7-E27CD32EC7D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*", "matchCriteriaId": "CCC1F046-DAF7-4734-9F80-A3C57857AF18", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*", "matchCriteriaId": "61EE8536-0E8D-477A-B8EA-817CE21D516A", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.9.10:*:*:*:*:*:*:*", "matchCriteriaId": "483D0F44-15C8-43A2-B3AE-331F40DA1A80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."}, {"lang": "es", "value": "Django en versiones anteriores a 1.8.x en versiones anteriores a 1.8.16, 1.9.x en versiones anteriores a 1.9.11 y 1.10.x en versiones anteriores a 1.10.3 cuando settings.DEBUG es True, permiten a atacantes remotos llevar a cabo ataques de revinculaci\u00f3n DNS aprovechando el fallo para validar la cabecera del Host HTTP contra settings.ALLOWED_HOSTS."}], "id": "CVE-2016-9014", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-09T20:59:06.970", "references": [{"source": "cve@mitre.org", "url": "http://www.debian.org/security/2017/dsa-3835"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94068"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037159"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3115-1"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2017/dsa-3835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94068"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1037159"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3115-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OG5ROMUPS6C7BXELD3TAUUH7OBYV56WQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXDKJYHN74BWY3P7AR2UZDVJREQMRE6S/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2016/nov/01/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Django project for reporting this issue.", "bugzilla": {"description": "python-django: DNS rebinding vulnerability when 'DEBUG=True'", "id": "1389417", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1389417"}, "csaw": false, "cvss": {"cvss_base_score": "4.0", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "status": "draft"}, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "details": ["Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS."], "name": "CVE-2016-9014", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:1.3", "fix_state": "Will not fix", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 1.3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:openstack:5::el6", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack-optools:7", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack-optools:10", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack-optools:8", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 8 (Liberty) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}, {"cpe": "cpe:/a:redhat:openstack-optools:9", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 9 (Mitaka) Operational Tools"}, {"cpe": "cpe:/a:redhat:rhscon:2", "fix_state": "Will not fix", "package_name": "Django", "product_name": "Red Hat Storage Console 2"}, {"cpe": "cpe:/a:redhat:rhscon:2", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Storage Console 2"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "Django", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2016-11-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9014\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9014"], "threat_severity": "Low"}

{}