CVE-2016-7401
Aliases:GHSA-crhm-qpjc-cm64PYSEC-2016-3
Advisory lineage Upstream: 0 Downstream: 23
Modified
Published: 03 Oct 2016, 18:00
Last modified:06 Aug 2024, 01:57
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.5 HIGH
v3.0 (nvd)
EPSS Score
6.16% LOW
6% probability +1.78%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
03 Oct 2016, 18:00
Published
Vulnerability first disclosed
06 Aug 2024, 01:57
Last Modified
Vulnerability information updated
Description
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
CVSS Metrics
- v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
- v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 6.16%• Percentile: 91%
Techniques & Countermeasures
- CWE-254•7PK - Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Affected Systems
- canonical•ubuntu_linux
12.04 | 14.04 | 16.04
- debian•debian_linux
8.0
- djangoproject•django
≤ 1.8.14 | 1.9.0 | 1.9.1 | 1.9.2 | 1.9.3 | 1.9.4 | 1.9.5 | 1.9.6 | 1.9.7 | 1.9.8 | 1.9.9
- PyPI•django
< 1.8.15 | ≥ 1.9, < 1.9.10
References (20)
- http://www.debian.org/security/2016/dsa-3678
- http://rhn.redhat.com/errata/RHSA-2016-2040.html
- http://rhn.redhat.com/errata/RHSA-2016-2043.html
- http://www.securitytracker.com/id/1036899
- http://rhn.redhat.com/errata/RHSA-2016-2041.html
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
- http://rhn.redhat.com/errata/RHSA-2016-2042.html
- http://www.ubuntu.com/usn/USN-3089-1
- http://www.securityfocus.com/bid/93182
- http://rhn.redhat.com/errata/RHSA-2016-2038.html
- http://rhn.redhat.com/errata/RHSA-2016-2039.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-7401
- https://github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a
- https://github.com/django/django/commit/6fe846a8f08dc959003f298b5407e321c6fe3735
- https://github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-3.yaml
- https://web.archive.org/web/20200227223637/http://www.securityfocus.com/bid/93182
- https://web.archive.org/web/20210927195154/http://www.securitytracker.com/id/1036899
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases