Published: 03/02/2018 Updated: 02/03/2018

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

webhooks/base.py in Anymail (aka django-anymail) prior to 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote malicious users to post arbitrary e-mail tracking events.

Vulnerable Product	Search on Vulmon	Subscribe to Product
django-anymail project django-anymail
debian debian linux 9.0

Debian Bug report logs - #889450 django-anymail: CVE-2018-6596: Security issue with timing attack on WEBHOOK_AUTHORIZATION Package: src:django-anymail; Maintainer for src:django-anymail is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Scott Kitterman <debian@kittermancom> Date ...

It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events For the stable distribution (stretch), this problem has been fixed in version 08-2+deb ...

CWE-200 https://github.com/anymail/django-anymail/releases/tag/v1.3 https://github.com/anymail/django-anymail/releases/tag/v1.2.1 https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b https://bugs.debian.org/889450 https://www.debian.org/security/2018/dsa-4107 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450 https://nvd.nist.gov https://www.debian.org/security/./dsa-4107

CVE-2018-6596

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect