Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

Remediation

References

http://www.debian.org/security/2016/dsa-3679

http://www.openwall.com/lists/oss-security/2016/09/14/6

http://www.securityfocus.com/bid/92966

https://issues.apache.org/jira/browse/JCR-4009

Related Vulnerabilities

CVE-2020-28501 Vulnerability in npm package es6-crawler-detect

CVE-2021-21141 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-12610 Vulnerability in maven package org.apache.kafka:kafka_2.10

CVE-2020-7682 Vulnerability in npm package marked-tree

CVE-2016-1000031 Vulnerability in maven package commons-fileupload:commons-fileupload

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Vendor Advisory