CVE-2017-0897

EPSS 0.7%
Veröffentlicht 22.06.2017 21:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Expressionengine ≫ Expressionengine Version2.0.0 Updatepublic_beta

Expressionengine ≫ Expressionengine Version2.0.1 Updatepublic_beta

Expressionengine ≫ Expressionengine Version2.0.2 Updatepublic_beta

Expressionengine ≫ Expressionengine Version2.1.0

Expressionengine ≫ Expressionengine Version2.1.1

Expressionengine ≫ Expressionengine Version2.1.2

Expressionengine ≫ Expressionengine Version2.1.3

Expressionengine ≫ Expressionengine Version2.1.4

Expressionengine ≫ Expressionengine Version2.1.5

Expressionengine ≫ Expressionengine Version2.2.0

Expressionengine ≫ Expressionengine Version2.2.1

Expressionengine ≫ Expressionengine Version2.2.2

Expressionengine ≫ Expressionengine Version2.3.0

Expressionengine ≫ Expressionengine Version2.3.1

Expressionengine ≫ Expressionengine Version2.4.0

Expressionengine ≫ Expressionengine Version2.5.0

Expressionengine ≫ Expressionengine Version2.5.1

Expressionengine ≫ Expressionengine Version2.5.2

Expressionengine ≫ Expressionengine Version2.5.3

Expressionengine ≫ Expressionengine Version2.5.4

Expressionengine ≫ Expressionengine Version2.5.5

Expressionengine ≫ Expressionengine Version2.6.0

Expressionengine ≫ Expressionengine Version2.6.1

Expressionengine ≫ Expressionengine Version2.7.0

Expressionengine ≫ Expressionengine Version2.7.1

Expressionengine ≫ Expressionengine Version2.7.2

Expressionengine ≫ Expressionengine Version2.7.3

Expressionengine ≫ Expressionengine Version2.8.0

Expressionengine ≫ Expressionengine Version2.8.1

Expressionengine ≫ Expressionengine Version2.9.0

Expressionengine ≫ Expressionengine Version2.9.1

Expressionengine ≫ Expressionengine Version2.9.2

Expressionengine ≫ Expressionengine Version2.9.3

Expressionengine ≫ Expressionengine Version2.10.0

Expressionengine ≫ Expressionengine Version2.10.1

Expressionengine ≫ Expressionengine Version2.10.2

Expressionengine ≫ Expressionengine Version2.10.3

Expressionengine ≫ Expressionengine Version2.11.0

Expressionengine ≫ Expressionengine Version2.11.1

Expressionengine ≫ Expressionengine Version2.11.2

Expressionengine ≫ Expressionengine Version2.11.3

Expressionengine ≫ Expressionengine Version2.11.4

Expressionengine ≫ Expressionengine Version2.11.5

Expressionengine ≫ Expressionengine Version2.11.6

Expressionengine ≫ Expressionengine Version2.11.7

Expressionengine ≫ Expressionengine Version3.0.0

Expressionengine ≫ Expressionengine Version3.0.1

Expressionengine ≫ Expressionengine Version3.0.2

Expressionengine ≫ Expressionengine Version3.0.3

Expressionengine ≫ Expressionengine Version3.0.4

Expressionengine ≫ Expressionengine Version3.0.5

Expressionengine ≫ Expressionengine Version3.0.6

Expressionengine ≫ Expressionengine Version3.1.0

Expressionengine ≫ Expressionengine Version3.1.1

Expressionengine ≫ Expressionengine Version3.1.2

Expressionengine ≫ Expressionengine Version3.1.3

Expressionengine ≫ Expressionengine Version3.1.4

Expressionengine ≫ Expressionengine Version3.2.0

Expressionengine ≫ Expressionengine Version3.2.1

Expressionengine ≫ Expressionengine Version3.3.0

Expressionengine ≫ Expressionengine Version3.3.1

Expressionengine ≫ Expressionengine Version3.3.2

Expressionengine ≫ Expressionengine Version3.3.3

Expressionengine ≫ Expressionengine Version3.3.4

Expressionengine ≫ Expressionengine Version3.4.0

Expressionengine ≫ Expressionengine Version3.4.1

Expressionengine ≫ Expressionengine Version3.4.2

Expressionengine ≫ Expressionengine Version3.4.3

Expressionengine ≫ Expressionengine Version3.4.4

Expressionengine ≫ Expressionengine Version3.4.5

Expressionengine ≫ Expressionengine Version3.4.6

Expressionengine ≫ Expressionengine Version3.4.7

Expressionengine ≫ Expressionengine Version3.5.0

Expressionengine ≫ Expressionengine Version3.5.1

Expressionengine ≫ Expressionengine Version3.5.2

Expressionengine ≫ Expressionengine Version3.5.3

Expressionengine ≫ Expressionengine Version3.5.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.7%	0.717

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

http://www.securityfocus.com/bid/99242

Third Party Advisory

VDB Entry

https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5

Vendor Advisory

https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8

Vendor Advisory

https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released

Vendor Advisory

https://hackerone.com/reports/215890

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2017-0897