CVE-2018-1000089

EUVD-2018-0033

13.03.2018, 15:29

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Affected Products (NVD)

Vendor	Product	Version
django-anymail_project	django-anymail	0.2 ≤ 𝑥 ≤ 1.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

django-anymail

bookworm	9.0-1 fixed
bullseye	7.1.0-1 fixed
sid	12.0-1 fixed
stretch	ignored
trixie	12.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

django-anymail

artful	ignored
bionic	not-affected
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef

https://github.com/anymail/django-anymail/releases/tag/v1.4

https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef

https://github.com/anymail/django-anymail/releases/tag/v1.4