CVE-2016-7401
published 2016-10-03CVE-2016-7401: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an…
PriorityP348high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
6.13%
92.6th percentile
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| collectd | collectd | >= 0 < 5.4.0-3ubuntu2.2+esm1 | 5.4.0-3ubuntu2.2+esm1 |
| collectd | collectd | >= 0 < 5.5.1-1ubuntu0.1~esm1 | 5.5.1-1ubuntu0.1~esm1 |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1:1.10-1 (bookworm) | python-django 1:1.10-1 (bookworm) |
| djangoproject | django | <= 1.8.14 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.8.15 | 1.8.15 |
| djangoproject | django | >= 1.9 < 1.9.10 | 1.9.10 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.1CRITICAL
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django CSRF Protection Bypass
osv·2022-05-14
CVE-2016-7401 [HIGH] Django CSRF Protection Bypass
Django CSRF Protection Bypass
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
GHSA
Django CSRF Protection Bypass
ghsa·2022-05-14
CVE-2016-7401 [HIGH] Django CSRF Protection Bypass
Django CSRF Protection Bypass
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
OSV
collectd vulnerabilities
osv·2021-03-15·CVSS 9.1
CVE-2016-6254 collectd vulnerabilities
collectd vulnerabilities
It was discovered that collectd mishandled certain malformed packets. A
remote attacker could use this vulnerability to cause collectd to crash or
possibly execute arbitrary code. (CVE-2016-6254)
It was discovered that collectd failed to handle certain input. An attacker
could use this vulnerability to cause collectd to crash. (CVE-2017-16820)
It was discovered that collectd mishandles certain malformed network
packets. A remote attacker could use this vulnerability to cause a Denial of
Service or consume system resources. (CVE-2017-7401)
OSV
CVE-2016-7401: The cookie parsing code in Django before 1
osv·2016-10-03·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401: The cookie parsing code in Django before 1
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Ubuntu
Django vulnerability
vendor_ubuntu·2016-09-27
CVE-2016-7401 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to set arbitrary cookies.
Sergey Bobrov discovered that Django incorrectly parsed cookies when being
used with Google Analytics. A remote attacker could possibly use this issue
to set arbitrary cookies leading to a CSRF protection bypass.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: CSRF protection bypass on a site with Google Analytics
vendor_redhat·2016-09-26·CVSS 7.5
CVE-2016-7401 [HIGH] CWE-352 python-django: CSRF protection bypass on a site with Google Analytics
python-django: CSRF protection bypass on a site with Google Analytics
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
Statement: This issue did not affect the versi
Debian
CVE-2016-7401: python-django - The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when us...
vendor_debian·2016·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401: python-django - The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when us...
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Scope: local
bookworm: resolved (fixed in 1:1.10-1)
bullseye: resolved (fixed in 1:1.10-1)
forky: resolved (fixed in 1:1.10-1)
sid: resolved (fixed in 1:1.10-1)
trixie: resolved (fixed in 1:1.10-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-7401 python-django15: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
bugzilla·2016-09-26·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401 python-django15: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
CVE-2016-7401 python-django15: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically
Bugzilla
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [epel-7]
bugzilla·2016-09-26·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [epel-7]
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-t
Bugzilla
CVE-2016-7401 Django14: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
bugzilla·2016-09-26·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401 Django14: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
CVE-2016-7401 Django14: python-django: CSRF protection bypass on a site with Google Analytics [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created
Bugzilla
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [fedora-all]
bugzilla·2016-09-26·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [fedora-all]
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics
bugzilla·2016-09-19·CVSS 7.5
CVE-2016-7401 [HIGH] CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics
CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics
An interaction between Google Analytics and Django's cookie parsing
could allow an attacker to set arbitrary cookies leading to a bypass of
CSRF protection.
The parser for ``request.COOKIES`` is simplified to better match the
behavior of browsers and to mitigate this attack. ``request.COOKIES``
may now contain cookies that are invalid according to RFC 6265 but are
possible to set via ``document.cookie``.
Discussion:
Acknowledgments:
Name: the upstream Django project
---
Created Django14 tracking bugs for this issue:
Affects: epel-6 [bug 1379487]
---
Created python-django15 tracking bugs for this issue:
Affects: epel-6 [bug 1379488]
---
Created python-django tracking bugs for this issue:
Affect
http://rhn.redhat.com/errata/RHSA-2016-2038.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2039.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2040.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2041.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2042.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2043.htmlhttp://www.debian.org/security/2016/dsa-3678http://www.securityfocus.com/bid/93182http://www.securitytracker.com/id/1036899http://www.ubuntu.com/usn/USN-3089-1https://www.djangoproject.com/weblog/2016/sep/26/security-releases/http://rhn.redhat.com/errata/RHSA-2016-2038.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2039.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2040.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2041.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2042.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2043.htmlhttp://www.debian.org/security/2016/dsa-3678http://www.securityfocus.com/bid/93182http://www.securitytracker.com/id/1036899http://www.ubuntu.com/usn/USN-3089-1https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
2016-10-03
Published