Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2016-7401

Published: 03/10/2016 Updated: 05/01/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Ubuntu Linux

Vulnerability Summary

The cookie parsing code in Django prior to 1.8.15 and 1.9.x prior to 1.9.10, when used on a site with Google Analytics, allows remote malicious users to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

canonical ubuntu linux 16.04

canonical ubuntu linux 14.04

canonical ubuntu linux 12.04

djangoproject django 1.9.6

djangoproject django 1.9.5

djangoproject django 1.9.4

djangoproject django 1.9.3

djangoproject django 1.9.2

djangoproject django 1.9.9

djangoproject django 1.9.1

djangoproject django 1.9.0

djangoproject django 1.9.8

djangoproject django 1.9.7

djangoproject django

debian debian linux 8.0

Vendor Advisories

Ubuntu Security Notice: python-django vulnerability
Django could be made to set arbitrary cookies ...
Debian Security Advisories: DSA-3678-1 python-django -- security update
Sergey Bobrov discovered that cookie parsing in Django and Google Analytics interacted such a way that an attacker could set arbitrary cookies This allows other malicious web sites to bypass the Cross-Site Request Forgery (CSRF) protections built into Django For the stable distribution (jessie), this problem has been fixed in version 1711-1+deb ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 50 (Icehouse) for RHEL 6Red Hat Product Security has rated this update as having a security impact of Moderate A Co ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 80 (Liberty)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sy ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat OpenStack Platform 90 (Mitaka)Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sys ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 60 (Juno) for RHEL 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 50 (Icehouse) for RHEL 7Red Hat Product Security has rated this update as having a security impact of Moderate A Co ...
Red Hat: Moderate: python-django security update
Synopsis Moderate: python-django security update Type/Severity Security Advisory: Moderate Topic An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 70 (Kilo) for RHEL 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common ...
Red Hat: CVE-2016-7401
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection In this update, the parser for ''requestCOOKIES'' has been simplified to better match browser behavior and to mitigate this attack ''requestCOOKIES'' m ...
Arch Linux Issues:
Sergey Bobrov found a vulnerability where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection ...

References

CWE-254http://www.securitytracker.com/id/1036899https://www.djangoproject.com/weblog/2016/sep/26/security-releases/http://www.debian.org/security/2016/dsa-3678http://www.securityfocus.com/bid/93182http://www.ubuntu.com/usn/USN-3089-1http://rhn.redhat.com/errata/RHSA-2016-2043.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2042.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2041.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2040.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2039.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2038.htmlhttps://usn.ubuntu.com/3089-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook