CVE-2018-1000089

13.03.2018, 15:29

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 54%

Vendor	Product	Version
django-anymail_project	django-anymail	0.2 ≤ 𝑥 ≤ 1.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

django-anymail

bullseye	7.1.0-1 fixed
stretch	ignored
bookworm	9.0-1 fixed
sid	12.0-1 fixed
trixie	12.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

django-anymail

bionic	not-affected
artful	ignored
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef

https://github.com/anymail/django-anymail/releases/tag/v1.4

https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef

https://github.com/anymail/django-anymail/releases/tag/v1.4