CVE-2016-6801
high
CVSS v3
8.8
CVSS v2
6.8
VIR risk
8.8
Description
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-6801
Vendor advisory: cve@mitre.org — https://issues.apache.org/jira/browse/JCR-4009
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.12.4-1 |
| debian | bullseye | fixed | 2.12.4-1 |
| debian | forky | fixed | 2.12.4-1 |
| debian | sid | fixed | 2.12.4-1 |
| debian | trixie | fixed | 2.12.4-1 |
| debian | 8.0 | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.4.0,<2.4.6 | 2.4.6 |
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.6.0,<2.6.6 | 2.6.6 |
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.8.0,<2.8.3 | 2.8.3 |
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.10.0,<2.10.4 | 2.10.4 |
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.12.0,<2.12.4 | 2.12.4 |
| Maven | org.apache.jackrabbit:jackrabbit-webdav | >=2.13.0,<2.13.3 | 2.13.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | jackrabbit | 2.4.0 | |
| apache | jackrabbit | 2.4.1 | |
| apache | jackrabbit | 2.4.2 | |
| apache | jackrabbit | 2.4.3 | |
| apache | jackrabbit | 2.4.4 | |
| apache | jackrabbit | 2.4.5 | |
| apache | jackrabbit | 2.6.0 | |
| apache | jackrabbit | 2.6.1 | |
| apache | jackrabbit | 2.6.2 | |
| apache | jackrabbit | 2.6.3 | |
| apache | jackrabbit | 2.6.4 | |
| apache | jackrabbit | 2.6.5 | |
| apache | jackrabbit | 2.8.0 | |
| apache | jackrabbit | 2.8.1 | |
| apache | jackrabbit | 2.8.2 | |
| apache | jackrabbit | 2.10.0 | |
| apache | jackrabbit | 2.10.1 | |
| apache | jackrabbit | 2.10.2 | |
| apache | jackrabbit | 2.10.3 | |
| apache | jackrabbit | 2.12.0 | |
| apache | jackrabbit | 2.12.1 | |
| apache | jackrabbit | 2.12.2 | |
| apache | jackrabbit | 2.12.3 | |
| apache | jackrabbit | 2.13.0 | |
| apache | jackrabbit | 2.13.1 | |
| apache | jackrabbit | 2.13.2 | |
References
- http://www.debian.org/security/2016/dsa-3679
- http://www.openwall.com/lists/oss-security/2016/09/14/6
- http://www.securityfocus.com/bid/92966
- https://issues.apache.org/jira/browse/JCR-4009
- https://nvd.nist.gov/vuln/detail/CVE-2016-6801
- https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
- https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
- https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
- https://github.com/apache/jackrabbit
- https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966
- https://security-tracker.debian.org/tracker/CVE-2016-6801
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.