Information disclosure in Django Anymail

Published: 2018-02-09 13:32:50
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-6596
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software Django Anymail
Vulnerable software versions Django Anymail 1.0
Django Anymail 1.1
Django Anymail 1.2
Vendor URL Django Software Foundation

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to improper security restrictions. A remote attacker can access sensitive information in the WEBHOOK_AUTHORIZATION shared secret for the affected software, post malicious email tracking events and conduct timing attack.

Remediation

Update to versions 1.2.1, 1.3.

External links

https://github.com/anymail/django-anymail/releases/tag/v1.2.1
https://github.com/anymail/django-anymail/releases/tag/v1.3

Back to List