#VU698 Insecure cookie handling in Django - CVE-2016-7401

Vulnerability identifier: #VU698

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-7401

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to interraction error between Django's cookie parsing code and Google Analytics. A remote attacker can set arbitrary cookies and bypass CSRF protection, implemented by web application.

Successful exploitation of this vulnerability may allow an attacker to bypass various website security mechanisms, based on cookies.

Mitigation
Update to 1.8.15.
https://www.djangoproject.com/m/releases/1.8/Django-1.8.15.tar.gz
Update to 1.9.10.
https://www.djangoproject.com/m/releases/1.9/Django-1.9.10.tar.gz

Vulnerable software versions

Django: 1.8.0 - 1.9.8

---

External links
https://www.vuxml.org/freebsd/bb022643-84fb-11e6-a4a1-60a44ce6887b.html

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.