Vulnerability Details : CVE-2016-7401
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2016-7401
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-7401
2.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-7401
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-7401
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-7401
-
http://rhn.redhat.com/errata/RHSA-2016-2040.html
RHSA-2016:2040 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2042.html
RHSA-2016:2042 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/93182
Django CVE-2016-7401 Cross Site Request Forgery VulnerabilityThird Party Advisory
-
http://www.securitytracker.com/id/1036899
Django Google Analytics Cookie Parsing Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTrackerThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2041.html
RHSA-2016:2041 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2038.html
RHSA-2016:2038 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2043.html
RHSA-2016:2043 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-2039.html
RHSA-2016:2039 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-3089-1
USN-3089-1: Django vulnerability | Ubuntu security noticesThird Party Advisory
-
https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
Django security releases issued: 1.9.10 and 1.8.15 | Weblog | DjangoPatch;Vendor Advisory
-
http://www.debian.org/security/2016/dsa-3678
Debian -- Security Information -- DSA-3678-1 python-djangoThird Party Advisory
Jump to