CVE-2016-6801

HIGH

Apache Jackrabbit < 2.4.6 - CSRF

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-6801. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2016-6801, a deserialization vulnerability in Apache Jackrabbit. The provided Java classes (FirstHop, SecondHop, ThirdHop) interact with a vulnerable Jackrabbit instance, showcasing how arbitrary code execution can be achieved through crafted serialized data.

Description

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-6801-jackrabbit-vulnerable

This repository contains functional exploit code demonstrating CVE-2016-6801, a deserialization vulnerability in Apache Jackrabbit. The provided Java classes (FirstHop, SecondHop, ThirdHop) interact with a vulnerable Jackrabbit instance, showcasing how arbitrary code execution can be achieved through crafted serialized data.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Jackrabbit (versions affected by CVE-2016-6801)
No auth needed
Prerequisites: Access to a vulnerable Apache Jackrabbit instance · Ability to send crafted serialized data to the target
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-6801-jackrabbit-vulnerable

This repository contains functional exploit code demonstrating CVE-2016-6801, a deserialization vulnerability in Apache Jackrabbit. The provided Java examples (FirstHop, SecondHop, ThirdHop) interact with a vulnerable Jackrabbit instance, showcasing how arbitrary code execution can be achieved through crafted serialized data.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Jackrabbit (versions affected by CVE-2016-6801)
No auth needed
Prerequisites: Access to a vulnerable Apache Jackrabbit instance · Ability to send crafted serialized data
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/09/14/6
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3679
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/JCR-4009
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92966

Scores

CVSS v3 8.8
EPSS 0.0036
EPSS Percentile 58.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (28)
apache/jackrabbit 2.4.0
apache/jackrabbit 2.4.1
apache/jackrabbit 2.4.2
apache/jackrabbit 2.4.3
apache/jackrabbit 2.4.4
apache/jackrabbit 2.4.5
apache/jackrabbit 2.6.0
apache/jackrabbit 2.6.1
apache/jackrabbit 2.6.2
apache/jackrabbit 2.6.3
... and 18 more
Published Sep 21, 2016
Tracked Since Feb 18, 2026