CVE-2018-1000089
django-anymail Includes Sensitive Information in Log Files
7.4
HIGH
CVSS 3.1
EPSS 0.31%
Description
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.
How to fix CVE-2018-1000089
To remediate CVE-2018-1000089, upgrade the affected package to a fixed version below.
- —upgrade to 1.4-1 or later
- —upgrade to 1.4 or later
- —upgrade to 1a6086f2b58478d71f89bf27eb034ed81aefe5ef or later
Is CVE-2018-1000089 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.4-1
- >= 0.2, < 1.4
- from 0, < 1a6086f2b58478d71f89bf27eb034ed81aefe5ef | >= 0.2, < 1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |