Safety vulnerability ID: 35198
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django-anymail version 1.4 includes a fix for CVE-2018-1000089: Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in an attacker with access to error logs could fabricate email tracking events. If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app.
https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
Latest version: 10.3
Django email backends and webhooks for Amazon SES, Brevo (Sendinblue), MailerSend, Mailgun, Mailjet, Mandrill, Postal, Postmark, Resend, SendGrid, SparkPost and Unisender Go
**Security fix**
This fixes a low severity security issue affecting Anymail v0.2–v1.3.
Django error reporting includes the value of your Anymail WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this should not be cause for concern. But if you have somehow exposed your Django error reports (e.g., by mis-deploying with DEBUG=True or by sending error reports through insecure channels), anyone who gains access to those reports could discover your webhook shared secret. An attacker could use this to post fabricated or malicious Anymail tracking/inbound events to your app, if you are using those Anymail features.
The fix renames Anymail's webhook shared secret setting so that Django's error reporting mechanism will [sanitize][0] it.
If you are using Anymail's event tracking and/or inbound webhooks, you should upgrade to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET" in the ANYMAIL section of your settings.py. You may also want to [rotate the shared secret][1] value, particularly if you have ever exposed your Django error reports to untrusted individuals.
If you are only using Anymail's EmailBackends for sending email and have not set up Anymail's webhooks, this issue does not affect you.
The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but will issue a system-check warning when running most Django management commands. It will be removed completely in a near-future release, as a breaking change.
Thanks to Charlie DeTar (yourcelf) for responsibly reporting this security issue through private channels.
[0]: https://docs.djangoproject.com/en/stable/ref/settings/debug
[1]: https://anymail.readthedocs.io/en/1.4/tips/securing_webhooks/use-a-shared-authorization-secret
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application