CVE-2018-6596

Advisory

In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Security fix

Prevent timing attack on WEBHOOK_AUTHORIZATION secret

If you are using Anymail's tracking webhooks, you should upgrade to this release, and you may want to rotate to a new WEBHOOK_AUTHORIZATION shared secret (see [docs](http://anymail.readthedocs.io/en/stable/tips/securing_webhooks/use-a-shared-authorization-secret)). You should definitely change your webhook auth if your logs indicate attempted exploit.

*More information*

Anymail's webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app.

There have not been any reports of attempted exploit. (The vulnerability was discovered through code review.) Attempts would be visible in HTTP logs as a very large number of 400 responses on Anymail's webhook urls (by default "/anymail/*esp_name*/tracking/"), and in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6596
• https://github.com/anymail/django-anymail/releases/tag/v1.3
• https://github.com/anymail/django-anymail/releases/tag/v1.2.1
• https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5
• https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b
• https://bugs.debian.org/889450
• https://www.debian.org/security/2018/dsa-4107