CVE-2016-6801

8.8HIGH

Key Information:

Vendor
Apache
Status
Jackrabbit
Vendor
CVE Published:
21 September 2016

Badges

👾 Exploit Exists

Summary

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

References

http://www.openwall.com/lists/oss-security/2016/09/14/6
mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3679
vendor-advisoryx_refsource_DEBIAN
https://issues.apache.org/jira/browse/JCR-4009
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.