What is the severity of CVE-2016-9014?

CVE-2016-9014 is rated as a high-severity vulnerability due to its potential for DNS rebinding attacks.

How do I fix CVE-2016-9014?

To fix CVE-2016-9014, upgrade your Django version to at least 1.8.16, 1.9.11, or 1.10.3.

What does CVE-2016-9014 affect?

CVE-2016-9014 affects Django versions prior to 1.8.16, 1.9.11, and 1.10.3 when the settings.DEBUG is set to True.

Can CVE-2016-9014 be exploited remotely?

Yes, CVE-2016-9014 can be exploited remotely by attackers leveraging the unvalidated HTTP Host header.

What is a DNS rebinding attack as related to CVE-2016-9014?

A DNS rebinding attack allows an attacker to bypass the browser's same-origin policy and interact with services in the local network.

Vulnerability/
CVE-2016-9014

high

8.1

CWE

264

9/12/2016

17/5/2022

18/9/2024

CVE-2016-9014

First published: Fri Dec 09 2016(Updated: )

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
pip/Django	>=1.10a1<1.10.3	1.10.3
pip/Django	>=1.9a1<1.9.11	1.9.11
pip/Django	>=1.8a1<1.8.16	1.8.16
Fedora	=24
Fedora	=25
Ubuntu	=12.04
Ubuntu	=14.04
Ubuntu	=16.04
Ubuntu	=16.10
Django	=1.8
Django	=1.8.1
Django	=1.8.2
Django	=1.8.3
Django	=1.8.4
Django	=1.8.5
Django	=1.8.6
Django	=1.8.7
Django	=1.8.8
Django	=1.8.9
Django	=1.8.10
Django	=1.8.11
Django	=1.8.12
Django	=1.8.13
Django	=1.8.14
Django	=1.8.15
Django	=1.10
Django	=1.10.1
Django	=1.10.2
Django	=1.9
Django	=1.9.1
Django	=1.9.2
Django	=1.9.3
Django	=1.9.4
Django	=1.9.5
Django	=1.9.6
Django	=1.9.7
Django	=1.9.8
Django	=1.9.9
Django	=1.9.10

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2016-9014?
CVE-2016-9014 is rated as a high-severity vulnerability due to its potential for DNS rebinding attacks.
How do I fix CVE-2016-9014?
To fix CVE-2016-9014, upgrade your Django version to at least 1.8.16, 1.9.11, or 1.10.3.
What does CVE-2016-9014 affect?
CVE-2016-9014 affects Django versions prior to 1.8.16, 1.9.11, and 1.10.3 when the settings.DEBUG is set to True.
Can CVE-2016-9014 be exploited remotely?
Yes, CVE-2016-9014 can be exploited remotely by attackers leveraging the unvalidated HTTP Host header.
What is a DNS rebinding attack as related to CVE-2016-9014?
A DNS rebinding attack allows an attacker to bypass the browser's same-origin policy and interact with services in the local network.

agent/type
agent/severity
agent/weakness
agent/description
collector/mitre-cve
source/MITRE
agent/first-publish-date
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-3f2c-jm6v-cr35
alias/CVE-2016-9014
agent/software-canonical-lookup
agent/references
agent/last-modified-date
collector/github-advisory
agent/trending
agent/source
agent/author
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
package-manager/pip
vendor/fedoraproject
canonical/fedora
version/fedora/24
version/fedora/25
vendor/canonical
canonical/ubuntu
version/ubuntu/12.04
version/ubuntu/14.04
version/ubuntu/16.04
version/ubuntu/16.10
vendor/djangoproject
canonical/django
version/django/1.8
version/django/1.8.1
version/django/1.8.2
version/django/1.8.3
version/django/1.8.4
version/django/1.8.5
version/django/1.8.6
version/django/1.8.7
version/django/1.8.8
version/django/1.8.9
version/django/1.8.10
version/django/1.8.11
version/django/1.8.12
version/django/1.8.13
version/django/1.8.14
version/django/1.8.15
version/django/1.10
version/django/1.10.1
version/django/1.10.2
version/django/1.9
version/django/1.9.1
version/django/1.9.2
version/django/1.9.3
version/django/1.9.4
version/django/1.9.5
version/django/1.9.6
version/django/1.9.7
version/django/1.9.8
version/django/1.9.9
version/django/1.9.10