Cross-Site Request Forgery Vulnerability in Apache Jackrabbit
CVE-2016-6801

8.8HIGH

Key Information:

Vendor
Apache
Status
Jackrabbit
Vendor
CVE Published:
21 September 2016

Badges

👾 Exploit Exists

Summary

A CSRF vulnerability exists within the content-type check of Apache Jackrabbit's WebDAV feature. This flaw allows remote attackers to hijack user authentication for specific requests that create resources. Exploitation requires the submission of an HTTP POST request that either lacks a valid Content-Type header or contains a maliciously crafted one, potentially leading to unauthorized actions on behalf of victims.

References

http://www.openwall.com/lists/oss-security/2016/09/14/6
mailing-listx_refsource_MLIST
http://www.debian.org/security/2016/dsa-3679
vendor-advisoryx_refsource_DEBIAN
https://issues.apache.org/jira/browse/JCR-4009
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.