Candidate: CVE-2016-6801
PublicDate: 2016-09-21 14:25:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801
 http://svn.apache.org/r1758791 (2.4.x)
 http://svn.apache.org/r1758771 (2.6.x)
 http://svn.apache.org/r1758764 (2.8.x)
Description:
 Cross-site request forgery (CSRF) vulnerability in the CSRF content-type
 check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x
 before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before
 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the
 authentication of unspecified victims for requests that create a resource
 via an HTTP POST request with a (1) missing or (2) crafted Content-Type
 header.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Lukas Reschke
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_jackrabbit:
 upstream: https://github.com/apache/jackrabbit/commit/4108e9feedb188754e59dc060db8e111b427ac37 (2.10)
 upstream: https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386(2.10)
upstream_jackrabbit: needed
precise_jackrabbit: DNE
precise/esm_jackrabbit: DNE
trusty_jackrabbit: released (2.3.6-1+deb8u2build0.14.04.1)
trusty/esm_jackrabbit: released (2.3.6-1+deb8u2build0.14.04.1)
vivid/stable-phone-overlay_jackrabbit: DNE
vivid/ubuntu-core_jackrabbit: DNE
xenial_jackrabbit: ignored (end of standard support, was needed)
yakkety_jackrabbit: ignored (reached end-of-life)
zesty_jackrabbit: ignored (reached end-of-life)
artful_jackrabbit: ignored (reached end-of-life)
bionic_jackrabbit: not-affected (2.12.4-1)
cosmic_jackrabbit: not-affected (2.12.4-1)
disco_jackrabbit: not-affected (2.12.4-1)
eoan_jackrabbit: not-affected (2.12.4-1)
focal_jackrabbit: not-affected (2.12.4-1)
groovy_jackrabbit: not-affected (2.12.4-1)
hirsute_jackrabbit: not-affected (2.12.4-1)
impish_jackrabbit: not-affected (2.12.4-1)
jammy_jackrabbit: not-affected (2.12.4-1)
devel_jackrabbit: not-affected (2.12.4-1)