{"id":"CVE-2016-6801","details":"Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.","aliases":["GHSA-9fc7-rhq3-wm7x"],"modified":"2026-07-08T05:49:03.111494518Z","published":"2016-09-21T14:25:21.737Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"8.0"},{"last_affected":"8.0"}],"vendor_product":"debian:debian_linux","source":"CPE_STRING","cpes":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3679"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/09/14/6"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92966"},{"type":"ADVISORY","url":"https://issues.apache.org/jira/browse/JCR-4009"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/jackrabbit","events":[{"introduced":"1bcd41f9bc12ef4a973f9bd73f571fb507b7596e"},{"last_affected":"00e3dc1470e63b73f79b01ff6d2e6c36d3836039"}],"database_specific":{"extracted_events":[{"introduced":"2.4.0"},{"last_affected":"2.4.0"},{"introduced":"2.4.1"},{"last_affected":"2.4.1"},{"introduced":"2.4.2"},{"last_affected":"2.4.2"},{"introduced":"2.4.3"},{"last_affected":"2.4.3"},{"introduced":"2.4.4"},{"last_affected":"2.4.4"},{"introduced":"2.4.5"},{"last_affected":"2.4.5"},{"introduced":"2.6.0"},{"last_affected":"2.6.0"},{"introduced":"2.6.1"},{"last_affected":"2.6.1"},{"introduced":"2.6.2"},{"last_affected":"2.6.2"},{"introduced":"2.6.3"},{"last_affected":"2.6.3"},{"introduced":"2.6.4"},{"last_affected":"2.6.4"},{"introduced":"2.6.5"},{"last_affected":"2.6.5"},{"introduced":"2.8.0"},{"last_affected":"2.8.0"},{"introduced":"2.8.1"},{"last_affected":"2.8.1"},{"introduced":"2.8.2"},{"last_affected":"2.8.2"},{"introduced":"2.10.0"},{"last_affected":"2.10.0"},{"introduced":"2.10.1"},{"last_affected":"2.10.1"},{"introduced":"2.10.2"},{"last_affected":"2.10.2"},{"introduced":"2.10.3"},{"last_affected":"2.10.3"},{"introduced":"2.12.0"},{"last_affected":"2.12.0"},{"introduced":"2.12.1"},{"last_affected":"2.12.1"},{"introduced":"2.12.2"},{"last_affected":"2.12.2"},{"introduced":"2.12.3"},{"last_affected":"2.12.3"},{"introduced":"2.13.0"},{"last_affected":"2.13.0"},{"introduced":"2.13.1"},{"last_affected":"2.13.1"},{"introduced":"2.13.2"},{"last_affected":"2.13.2"}],"cpe":["cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.8.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.8.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.10.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.10.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.10.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.12.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.12.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.12.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.12.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.13.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.13.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:jackrabbit:2.13.2:*:*:*:*:*:*:*"],"source":"CPE_STRING"}}],"versions":["2.10.0","2.10.1","2.10.2","2.10.3","2.12.0","2.12.1","2.12.2","2.12.3","2.13.0","2.13.1","2.13.2","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.4.5","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.8.0","2.8.1","2.8.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6801.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}