CVE-2016-6801
high-risk
Published 2016-09-21
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Do I need to act?
-
0.36% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
Jackrabbit
References (8)
Third Party Advisory
http://www.debian.org/security/2016/dsa-3679
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/09/14/6
Third Party Advisory
http://www.securityfocus.com/bid/92966
Vendor Advisory
https://issues.apache.org/jira/browse/JCR-4009
Third Party Advisory
http://www.debian.org/security/2016/dsa-3679
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/09/14/6
Third Party Advisory
http://www.securityfocus.com/bid/92966
Vendor Advisory
https://issues.apache.org/jira/browse/JCR-4009
53
/ 100
high-risk
Severity
30/34 · Critical
Exploitability
1/34 · Minimal
Exposure
22/34 · High