Insecure cookie handling in Django

#VU698 Insecure cookie handling in Django

Published: 2016-09-30 | Updated: 2016-10-05

Vulnerability identifier: #VU698

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-7401

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to interraction error between Django's cookie parsing code and Google Analytics. A remote attacker can set arbitrary cookies and bypass CSRF protection, implemented by web application.

Successful exploitation of this vulnerability may allow an attacker to bypass various website security mechanisms, based on cookies.

Mitigation
Update to 1.8.15.
https://www.djangoproject.com/m/releases/1.8/Django-1.8.15.tar.gz
Update to 1.9.10.
https://www.djangoproject.com/m/releases/1.9/Django-1.9.10.tar.gz

Vulnerable software versions

Django: 1.8.0 - 1.9.8

External links
http://www.vuxml.org/freebsd/bb022643-84fb-11e6-a4a1-60a44ce6887b.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for python-django

Arch Linux update for python2-django

Security restrictions bypass in Tornado web server

CSRF attack when handling Google Analytics cookies in Django

Ubuntu update for Django