CVE-2016-6801
Published: 21 September 2016
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Priority
Status
Package | Release | Status |
---|---|---|
jackrabbit Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(2.12.4-1)
|
|
cosmic |
Not vulnerable
(2.12.4-1)
|
|
disco |
Not vulnerable
(2.12.4-1)
|
|
eoan |
Not vulnerable
(2.12.4-1)
|
|
focal |
Not vulnerable
(2.12.4-1)
|
|
groovy |
Not vulnerable
(2.12.4-1)
|
|
hirsute |
Not vulnerable
(2.12.4-1)
|
|
impish |
Not vulnerable
(2.12.4-1)
|
|
jammy |
Not vulnerable
(2.12.4-1)
|
|
kinetic |
Not vulnerable
(2.12.4-1)
|
|
lunar |
Not vulnerable
(2.12.4-1)
|
|
mantic |
Not vulnerable
(2.12.4-1)
|
|
precise |
Does not exist
|
|
trusty |
Released
(2.3.6-1+deb8u2build0.14.04.1)
|
|
upstream |
Needed
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/apache/jackrabbit/commit/4108e9feedb188754e59dc060db8e111b427ac37 upstream: https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386(2.10) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |