CVE-2016-6801
Summary
| CVE | CVE-2016-6801 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-09-21 14:25:21 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header. |
Risk And Classification
Primary CVSS: v3.0 8.8 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.003600000 probability, percentile 0.580930000 (date 2026-05-06)
Problem Types: CWE-352 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Jackrabbit | 2.10.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.10.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.10.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.10.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.12.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.12.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.12.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.12.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.13.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.13.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.13.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.4 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.5 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.4 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.5 | All | All | All |
| Application | Apache | Jackrabbit | 2.8.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.8.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.8.2 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Third Party Advisory |
| [JCR-4009] CSRF in Jackrabbit-Webdav (CVE-2016-6801) - ASF JIRA | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | Vendor Advisory |
| Apache Jackrabbit CVE-2016-6801 Cross-Site Request Forgery Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-3679-1 jackrabbit | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.