Описание
Django CSRF Protection Bypass
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-7401
- https://github.com/django/django/commit/6118ab7d0676f0d622278e5be215f14fb5410b6a
- https://github.com/django/django/commit/6fe846a8f08dc959003f298b5407e321c6fe3735
- https://github.com/django/django/commit/d1bc980db1c0fffd6d60677e62f70beadb9fe64a
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-3.yaml
- https://web.archive.org/web/20200227223637/http://www.securityfocus.com/bid/93182
- https://web.archive.org/web/20210927195154/http://www.securitytracker.com/id/1036899
- https://www.djangoproject.com/weblog/2016/sep/26/security-releases
- http://rhn.redhat.com/errata/RHSA-2016-2038.html
- http://rhn.redhat.com/errata/RHSA-2016-2039.html
- http://rhn.redhat.com/errata/RHSA-2016-2040.html
- http://rhn.redhat.com/errata/RHSA-2016-2041.html
- http://rhn.redhat.com/errata/RHSA-2016-2042.html
- http://rhn.redhat.com/errata/RHSA-2016-2043.html
- http://www.debian.org/security/2016/dsa-3678
- http://www.ubuntu.com/usn/USN-3089-1
Пакеты
Django
< 1.8.15
1.8.15
Django
>= 1.9, < 1.9.10
1.9.10
Связанные уязвимости
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.1 ...
