Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05ZmM3LXJocTMtd203eM4AAdKW
Apache Jackrabbit Authentication Hijacking Vulnerability
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Permalink: https://github.com/advisories/GHSA-9fc7-rhq3-wm7xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ZmM3LXJocTMtd203eM4AAdKW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-9fc7-rhq3-wm7x, CVE-2016-6801
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6801
- https://issues.apache.org/jira/browse/JCR-4009
- http://www.debian.org/security/2016/dsa-3679
- http://www.openwall.com/lists/oss-security/2016/09/14/6
- https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966
- https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
- https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
- https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
- https://github.com/advisories/GHSA-9fc7-rhq3-wm7x
Blast Radius: 22.5
Affected Packages
maven:org.apache.jackrabbit:jackrabbit-webdav
Dependent packages: 80Dependent repositories: 357
Downloads:
Affected Version Ranges: >= 2.13.0, < 2.13.3, >= 2.12.0, < 2.12.4, >= 2.10.0, < 2.10.4, >= 2.8.0, < 2.8.3, >= 2.6.0, < 2.6.6, >= 2.4.0, < 2.4.6
Fixed in: 2.13.3, 2.12.4, 2.10.4, 2.8.3, 2.6.6, 2.4.6
All affected versions: 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.8.0, 2.8.1, 2.8.2, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2
All unaffected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.3, 1.5.0, 1.5.2, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.4, 1.6.5, 2.0.0, 2.0.3, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.2.5, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.3.0, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.9.0, 2.9.1, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.12.11, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.15.7, 2.15.8, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.17.6, 2.17.7, 2.18.0, 2.18.1, 2.18.2, 2.18.3, 2.18.4, 2.18.5, 2.18.6, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 2.19.6, 2.20.0, 2.20.1, 2.20.2, 2.20.3, 2.20.4, 2.20.5, 2.20.6, 2.20.7, 2.20.8, 2.20.9, 2.20.10, 2.20.11, 2.20.12, 2.20.13, 2.20.14, 2.20.15, 2.21.0, 2.21.1, 2.21.2, 2.21.3, 2.21.4, 2.21.5, 2.21.6, 2.21.7, 2.21.8, 2.21.9, 2.21.10, 2.21.11, 2.21.12, 2.21.13, 2.21.14, 2.21.15, 2.21.16, 2.21.17, 2.21.18, 2.21.19, 2.21.20, 2.21.21, 2.21.22, 2.21.23, 2.21.24, 2.21.25