CVE-2016-6801

Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

How to fix CVE-2016-6801

To remediate CVE-2016-6801, upgrade the affected package to a fixed version below.

• —upgrade to 2.12.4-1 or later
• —upgrade to 2.3.6-1+deb7u2 or later
• —upgrade to 2.3.6-1+deb8u2 or later
• —upgrade to 2.4.6 or later

Is CVE-2016-6801 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.12.4-1
• from 0, < 2.3.6-1+deb7u2
• from 0, < 2.3.6-1+deb8u2
• >= 2.4.0, < 2.4.6

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-6801
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6801
• PATCHgithub.com/apache/jackrabbit
• WEBgithub.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d