Vulnerability CVE-2016-7401: Information

Description

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-7401
Published: Oct. 3, 2016
Modified: Jan. 5, 2018
Error type identifier: CWE-254

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python-module-djangop91.8.15-alt11.11.29-alt2ALT-PU-2016-2173-1171331Fixed
python-module-djangop81.8.18-alt0.M80P.11.8.18-alt0.M80P.1ALT-PU-2017-1760-1184483Fixed
python-module-djangoc9f21.8.15-alt11.11.23-alt1ALT-PU-2016-2173-1171331Fixed
python-module-djangoc71.8.18-alt0.M70C.11.8.18-alt0.M70C.1ALT-PU-2017-1754-1184484Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
1036899
  • Third Party Advisory
https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
  • Patch
  • Vendor Advisory
DSA-3678
  • Third Party Advisory
93182
  • Third Party Advisory
USN-3089-1
  • Third Party Advisory
RHSA-2016:2043
    RHSA-2016:2042
      RHSA-2016:2041
        RHSA-2016:2040
          RHSA-2016:2039
            RHSA-2016:2038

                1. Configuration 1

                  cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
                  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
                  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

                  Configuration 2

                  cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
                  End including
                  1.8.14
                  cpe:2.3:a:djangoproject:django:1.9.0:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*
                  cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*

                  Configuration 3

                  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
              VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
              Version: v24.5.3
              Back to top