CVE-2016-6801

Cross-Site Request Forgery (CSRF) in maven/org.apache.jackrabbit/jackrabbit-webdav

Identifiers

GHSA-9fc7-rhq3-wm7x, CVE-2016-6801

Package Slug

maven/org.apache.jackrabbit/jackrabbit-webdav

Vulnerability

Cross-Site Request Forgery (CSRF)

Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

Affected Versions

All versions starting from 2.4.0 before 2.4.6, all versions starting from 2.6.0 before 2.6.6, all versions starting from 2.8.0 before 2.8.3, all versions starting from 2.10.0 before 2.10.4, all versions starting from 2.12.0 before 2.12.4, all versions starting from 2.13.0 before 2.13.3

Solution

Upgrade to versions 2.4.6, 2.6.6, 2.8.3, 2.10.4, 2.12.4, 2.13.3 or above.

Last Modified

2023-11-08

source