Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

Remediation

References

http://www.debian.org/security/2016/dsa-3679

http://www.openwall.com/lists/oss-security/2016/09/14/6

http://www.securityfocus.com/bid/92966

https://issues.apache.org/jira/browse/JCR-4009

Related Vulnerabilities

CVE-2021-30246 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign

CVE-2020-5258 Vulnerability in maven package org.webjars.npm:dojo

CVE-2016-10578 Vulnerability in npm package unicode

CVE-2015-7940 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2017-16177 Vulnerability in npm package chatbyvista

Severity

Critical

Classification

CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Vendor Advisory