CVE-2018-1000089 - OpenCVE

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Django-anymail Project	Django-anymail

Configuration 1 [-]

cpe:2.3:a:django-anymail_project:django-anymail:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
https://github.com/anymail/django-anymail/releases/tag/v1.4

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-13T15:00:00

Updated: 2024-08-05T12:33:49.156Z

Reserved: 2018-02-21T00:00:00

Link: CVE-2018-1000089

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-13T15:29:01.377

Modified: 2018-04-11T14:12:16.037

Link: CVE-2018-1000089

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-08T00:00:00", "datePublic": "2018-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-13T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/anymail/django-anymail/releases/tag/v1.4"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/8/2018 13:09:31", "ID": "CVE-2018-1000089", "REQUESTER": "medmunds@gmail.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef", "refsource": "MISC", "url": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef"}, {"name": "https://github.com/anymail/django-anymail/releases/tag/v1.4", "refsource": "MISC", "url": "https://github.com/anymail/django-anymail/releases/tag/v1.4"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.156Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/anymail/django-anymail/releases/tag/v1.4"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000089", "datePublished": "2018-03-13T15:00:00", "dateReserved": "2018-02-21T00:00:00", "dateUpdated": "2024-08-05T12:33:49.156Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:django-anymail_project:django-anymail:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D9039C1-04AE-4276-804A-36E1D3E7EF55", "versionEndIncluding": "1.3", "versionStartIncluding": "0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4."}, {"lang": "es", "value": "Anymail django-anymail, de la versi\u00f3n 0.2 a la 1.3, contiene una vulnerabilidad de CWE-532 y CWE-209 en el valor de opci\u00f3n WEBHOOK_AUTHORIZATION que puede resultar en que un atacante con acceso a los registros de error fabrique eventos de rastreo de email. Si los informes de error de Django est\u00e1n expuestos, un atacante podr\u00eda descubrir su opci\u00f3n ANYMAIL_WEBHOOK y emplearlo para publicar eventos fabricados o maliciosos tracking/inbound de Anymail a una app. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n v1.4."}], "id": "CVE-2018-1000089", "lastModified": "2018-04-11T14:12:16.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-13T15:29:01.377", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/anymail/django-anymail/releases/tag/v1.4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}