CVE-2016-7401

Impact:
Moderate
Public Date:
2016-09-26
CWE:
CWE-352
Bugzilla:
1377376: CVE-2016-7401 python-django: CSRF protection bypass on a site with Google Analytics
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.

Find out more about CVE-2016-7401 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.

Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 6.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Impact Low
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 (python-django) RHSA-2016:2038 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (python-django) RHSA-2016:2040 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 (python-django) RHSA-2016:2041 2016-10-10
Red Hat OpenStack Platform 8.0 (Liberty) (python-django) RHSA-2016:2042 2016-10-10
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (python-django) RHSA-2016:2039 2016-10-10
Red Hat OpenStack Platform 9.0 (python-django) RHSA-2016:2043 2016-10-10

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 Django Not affected
Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7 python-django Not affected
Red Hat OpenStack Platform 10 python-django Not affected
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 python-django Will not fix
Red Hat Ceph Storage 2 Django Not affected
Red Hat Ceph Storage 1.3 Django Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank the upstream Django project for reporting this issue.
Last Modified