Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

Remediation

References

http://www.debian.org/security/2016/dsa-3679

http://www.openwall.com/lists/oss-security/2016/09/14/6

http://www.securityfocus.com/bid/92966

https://issues.apache.org/jira/browse/JCR-4009

Related Vulnerabilities

CVE-2018-16462 Vulnerability in npm package apex-publish-static-files

CVE-2018-18315 Vulnerability in maven package com.mossle:lemon

CVE-2020-6532 Vulnerability in npm package electron

CVE-2020-28450 Vulnerability in npm package decal

CVE-2021-21179 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Vendor Advisory