CVE-2016-6801
CVE-2016-6801 is a high-severity vulnerability in Apache Jackrabbit with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-352.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 6.8
- EPSS exploit prediction: 2% (81st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-352
- Affected product: Apache Jackrabbit
- Published:
- Last modified:
Description
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Frequently asked questions
- What is CVE-2016-6801?
- Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
- How severe is CVE-2016-6801?
- CVE-2016-6801 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2016-6801 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (81st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2016-6801?
- CVE-2016-6801 primarily affects Apache Jackrabbit. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2016-6801?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2016-6801 published?
- CVE-2016-6801 was published on 2016-09-21 and last updated on 2026-06-17.
References
- http://www.debian.org/security/2016/dsa-3679
- http://www.openwall.com/lists/oss-security/2016/09/14/6
- http://www.securityfocus.com/bid/92966
- https://issues.apache.org/jira/browse/JCR-4009
Affected products (27)
- cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.13.2:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
More vulnerabilities in Apache Jackrabbit
- CVE-2023-37895 — Critical (CVSS 9.8): Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute…
- CVE-2025-53689 — High (CVSS 8.8): Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of…
- CVE-2025-58782 — Medium (CVSS 6.5): Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This…
- CVE-2015-1833 — Medium (CVSS 6.4): XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6,…
- CVE-2009-0026 — Medium (CVSS 4.3): Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject…
All CVEs affecting Apache Jackrabbit →
Other CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities
- CVE-2025-32642 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This…
- CVE-2025-23922 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a…
- CVE-2017-5145 — Critical (CVSS 10.0): An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware…
- CVE-2019-25729 — Critical (CVSS 9.8): PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute…
- CVE-2025-48340 — Critical (CVSS 9.8): Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows…
- CVE-2025-2907 — Critical (CVSS 9.8): The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing…
Browse all CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities →