Description
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a
timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which
allows remote attackers to post arbitrary e-mail tracking events.
#### Bugs
* <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450>
Affected Package
Related
{"id": "UB:CVE-2018-6596", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2018-6596", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a\ntiming attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which\nallows remote attackers to post arbitrary e-mail tracking events.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450>\n", "published": "2018-02-03T00:00:00", "modified": "2018-02-03T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://ubuntu.com/security/CVE-2018-6596", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6596", "https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 ", "https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b ", "https://bugs.debian.org/889450", "https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b", "https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5", "https://github.com/anymail/django-anymail/releases/tag/v1.2.1", "https://github.com/anymail/django-anymail/releases/tag/v1.3", "https://nvd.nist.gov/vuln/detail/CVE-2018-6596", "https://launchpad.net/bugs/cve/CVE-2018-6596", "https://security-tracker.debian.org/tracker/CVE-2018-6596"], "cvelist": ["CVE-2018-6596"], "immutableFields": [], "lastseen": "2021-11-22T21:37:27", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-6596"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4107-1:9A860", "DEBIAN:DSA-4107-1:F16EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-6596"]}, {"type": "github", "idList": ["GHSA-HXF9-7H4C-F5JV"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4107.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704107"]}], "rev": 4}, "score": {"value": 5.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-6596"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4107-1:9A860"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-6596"]}, {"type": "github", "idList": ["GHSA-HXF9-7H4C-F5JV"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4107.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704107"]}]}, "exploitation": null, "vulnersScore": 5.8}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "Upstream", "arch": "noarch", "packageVersion": "1.3-1", "packageFilename": "UNKNOWN", "operator": "lt", "status": "released", "packageName": "django-anymail"}], "bugs": ["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450"], "_state": {"dependencies": 1646180200}}
{"osv": [{"lastseen": "2022-05-12T01:11:43", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-02-03T21:29:00", "type": "osv", "title": "PYSEC-2018-7", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2021-06-16T00:03:22", "id": "OSV:PYSEC-2018-7", "href": "https://osv.dev/vulnerability/PYSEC-2018-7", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-10T04:58:58", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-07-12T20:30:40", "type": "osv", "title": "Django-Anymail prone to a timing attack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2022-06-10T02:16:22", "id": "OSV:GHSA-HXF9-7H4C-F5JV", "href": "https://osv.dev/vulnerability/GHSA-hxf9-7h4c-f5jv", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2021-11-29T22:40:18", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4107-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nFebruary 07, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : django-anymail\nCVE ID : CVE-2018-6596\nDebian Bug : 889450\n\nIt was discovered that the webhook validation of Anymail, a Django email\nbackends for multiple ESPs, is prone to a timing attack. A remote\nattacker can take advantage of this flaw to obtain a\nWEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 0.8-2+deb9u1.\n\nWe recommend that you upgrade your django-anymail packages.\n\nFor the detailed security status of django-anymail please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/django-anymail\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-02-07T21:59:49", "type": "debian", "title": "[SECURITY] [DSA 4107-1] django-anymail security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2018-02-07T21:59:49", "id": "DEBIAN:DSA-4107-1:9A860", "href": "https://lists.debian.org/debian-security-announce/2018/msg00030.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-21T21:44:57", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4107-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nFebruary 07, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : django-anymail\nCVE ID : CVE-2018-6596\nDebian Bug : 889450\n\nIt was discovered that the webhook validation of Anymail, a Django email\nbackends for multiple ESPs, is prone to a timing attack. A remote\nattacker can take advantage of this flaw to obtain a\nWEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 0.8-2+deb9u1.\n\nWe recommend that you upgrade your django-anymail packages.\n\nFor the detailed security status of django-anymail please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/django-anymail\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-02-07T21:59:49", "type": "debian", "title": "[SECURITY] [DSA 4107-1] django-anymail security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2018-02-07T21:59:49", "id": "DEBIAN:DSA-4107-1:F16EE", "href": "https://lists.debian.org/debian-security-announce/2018/msg00030.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2022-04-12T16:29:15", "description": "It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-02-08T00:00:00", "type": "nessus", "title": "Debian DSA-4107-1 : django-anymail - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-6596"], "modified": "2018-11-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:django-anymail", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4107.NASL", "href": "https://www.tenable.com/plugins/nessus/106662", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4107. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106662);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2018-6596\");\n script_xref(name:\"DSA\", value:\"4107\");\n\n script_name(english:\"Debian DSA-4107-1 : django-anymail - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the webhook validation of Anymail, a Django\nemail backends for multiple ESPs, is prone to a timing attack. A\nremote attacker can take advantage of this flaw to obtain a\nWEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889450\"\n );\n # https://security-tracker.debian.org/tracker/source-package/django-anymail\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2e2e1edf\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/django-anymail\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4107\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the django-anymail packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 0.8-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:django-anymail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"python-django-anymail\", reference:\"0.8-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3-django-anymail\", reference:\"0.8-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-01-29T07:29:24", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-02-03T21:29:00", "type": "debiancve", "title": "CVE-2018-6596", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2018-02-03T21:29:00", "id": "DEBIANCVE:CVE-2018-6596", "href": "https://security-tracker.debian.org/tracker/CVE-2018-6596", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "github": [{"lastseen": "2022-05-13T12:33:35", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-07-12T20:30:40", "type": "github", "title": "Django-Anymail prone to a timing attack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2022-04-26T18:07:14", "id": "GHSA-HXF9-7H4C-F5JV", "href": "https://github.com/advisories/GHSA-hxf9-7h4c-f5jv", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T18:25:07", "description": "webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2018-02-03T21:29:00", "type": "cve", "title": "CVE-2018-6596", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6596"], "modified": "2018-03-02T13:56:00", "cpe": ["cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-6596", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6596", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-04T18:56:07", "description": "It was discovered that the webhook validation of Anymail, a Django email\nbackends for multiple ESPs, is prone to a timing attack. A remote\nattacker can take advantage of this flaw to obtain a\nWEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.", "cvss3": {}, "published": "2018-02-07T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4107-1 (django-anymail - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-6596"], "modified": "2019-07-04T00:00:00", "id": "OPENVAS:1361412562310704107", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704107", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4107-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704107\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-6596\");\n script_name(\"Debian Security Advisory DSA 4107-1 (django-anymail - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4107.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"django-anymail on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 0.8-2+deb9u1.\n\nWe recommend that you upgrade your django-anymail packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/django-anymail\");\n script_tag(name:\"summary\", value:\"It was discovered that the webhook validation of Anymail, a Django email\nbackends for multiple ESPs, is prone to a timing attack. A remote\nattacker can take advantage of this flaw to obtain a\nWEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"python-django-anymail\", ver:\"0.8-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3-django-anymail\", ver:\"0.8-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}]}
CVE-2018-6596
