CVE-2018-6596

Published: Feb 3, 2018Modified: Nov 21, 2024

9.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.

Affected (2)

Products: Django Anymail Project: Django Anymail · Debian: Debian Linux

Django Anymail Project

1 product

Django Anymail

Debian

1 product

Debian Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Django Anymail Project Django Anymail	Before 1.2.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (12)

https://bugs.debian.org/889450

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b

Source: cve@mitre.org

Patch

https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5

Source: cve@mitre.org

Patch

https://github.com/anymail/django-anymail/releases/tag/v1.2.1

Source: cve@mitre.org

Release Notes

https://github.com/anymail/django-anymail/releases/tag/v1.3

Source: cve@mitre.org

Release Notes

https://www.debian.org/security/2018/dsa-4107

Source: cve@mitre.org

Third Party Advisory

https://bugs.debian.org/889450