CVE-2018-1000089

Severity Score

7.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.

Anymail django-anymail, de la versión 0.2 a la 1.3, contiene una vulnerabilidad de CWE-532 y CWE-209 en el valor de opción WEBHOOK_AUTHORIZATION que puede resultar en que un atacante con acceso a los registros de error fabrique eventos de rastreo de email. Si los informes de error de Django están expuestos, un atacante podría descubrir su opción ANYMAIL_WEBHOOK y emplearlo para publicar eventos fabricados o maliciosos tracking/inbound de Anymail a una app. La vulnerabilidad parece haber sido solucionada en la versión v1.4.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-21 CVE Reserved
2018-03-13 CVE Published
2023-07-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (2)

URL	Tag	Source
https://github.com/anymail/django-anymail/releases/tag/v1.4	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef	2018-04-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Django-anymail Project Search vendor "Django-anymail Project"		Django-anymail Search vendor "Django-anymail Project" for product "Django-anymail"				>= 0.2 <= 1.3 Search vendor "Django-anymail Project" for product "Django-anymail" and version " >= 0.2 <= 1.3"		-		Affected