Vulnerability Description
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Jackrabbit | 2.4.0 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2016/dsa-3679Third Party Advisory
- http://www.openwall.com/lists/oss-security/2016/09/14/6Third Party Advisory
- http://www.securityfocus.com/bid/92966Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/JCR-4009Vendor Advisory
- http://www.debian.org/security/2016/dsa-3679Third Party Advisory
- http://www.openwall.com/lists/oss-security/2016/09/14/6Third Party Advisory
- http://www.securityfocus.com/bid/92966Third Party AdvisoryVDB Entry
- https://issues.apache.org/jira/browse/JCR-4009Vendor Advisory
FAQ
What is CVE-2016-6801?
CVE-2016-6801 is a vulnerability with a CVSS score of 8.8 (HIGH). Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10....
How severe is CVE-2016-6801?
CVE-2016-6801 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-6801?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Jackrabbit, Debian Debian Linux.