Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
www.debian.org/security/2016/dsa-3679
www.openwall.com/lists/oss-security/2016/09/14/6
github.com/apache/jackrabbit
github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
issues.apache.org/jira/browse/JCR-4009
nvd.nist.gov/vuln/detail/CVE-2016-6801
web.archive.org/web/20210123170657/www.securityfocus.com/bid/92966