Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xaDl4LW1jNDItdmc0Z84AAXGu
django-anymail Includes Sensitive Information in Log Files
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.
Permalink: https://github.com/advisories/GHSA-qh9x-mc42-vg4gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xaDl4LW1jNDItdmc0Z84AAXGu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-qh9x-mc42-vg4g, CVE-2018-1000089
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000089
- https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
- https://github.com/anymail/django-anymail/releases/tag/v1.4
- https://github.com/advisories/GHSA-qh9x-mc42-vg4g
- https://github.com/pypa/advisory-database/tree/main/vulns/django-anymail/PYSEC-2018-46.yaml
Blast Radius: 23.2
Affected Packages
pypi:django-anymail
Dependent packages: 5Dependent repositories: 1,363
Downloads: 629,500 last month
Affected Version Ranges: >= 0.2, < 1.4
Fixed in: 1.4
All affected versions: 0.3.1, 0.4.1, 0.4.2, 0.6.1, 0.11.1, 1.2.1
All unaffected versions: 6.0.1, 6.1.0, 7.0.0, 7.1.0, 7.2.1