Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2016-7401

Related Vulnerabilities: CVE-2016-7401  

A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

Source
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

Find out more about CVE-2016-7401 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 6.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Impact Low
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 (python-django) RHSA-2016:2038 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (python-django) RHSA-2016:2040 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 (python-django) RHSA-2016:2041 2016-10-10
Red Hat OpenStack Platform 8.0 (Liberty) (python-django) RHSA-2016:2042 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (python-django) RHSA-2016:2039 2016-10-10
Red Hat OpenStack Platform 9.0 (python-django) RHSA-2016:2043 2016-10-10

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 Django Not affected
Red Hat OpenStack Platform Operational Tools 9 python-django Will not fix
Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7 python-django Not affected
Red Hat OpenStack Platform 10 python-django Not affected
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Ceph Storage 2 Django Not affected
Red Hat Ceph Storage 1.3 Django Not affected

Acknowledgements

Red Hat would like to thank the upstream Django project for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started