7.5

CVE-2017-5493

WordPress Core < 4.7.1 - Weak Multi-Site Activation Key for User and Site Signup

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.17, 3.8.17, 3.9.15, 4.0.14, 4.1.14, 4.2.11, 4.3.7, 4.4.6, 4.5.5, 4.6.2, 4.7.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version <= 4.7
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.7)
Version 3.7-3.7.16
Version 3.8-3.8.16
Version 3.9-3.9.14
Version 4.0-4.0.13
Version 4.1-4.1.13
Version 4.2-4.2.10
Version 4.3-4.3.6
Version 4.4-4.4.5
Version 4.5-4.5.4
Version 4.6-4.6.1
Version 4.7
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.89% 0.851
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

http://www.openwall.com/lists/oss-security/2017/01/14/6
Third Party Advisory
Mailing List
http://www.securitytracker.com/id/1037591
https://codex.wordpress.org/Version_4.7.1
Vendor Advisory
Release Notes
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Vendor Advisory
http://www.debian.org/security/2017/dsa-3779
http://www.securityfocus.com/bid/95401
https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Patch
https://wpvulndb.com/vulnerabilities/8721
https://www.wordfence.com/threat-intel/vulnerabilities/id/14b7fd1e-6e2d-49bb-8492-b072afeebd88
Third Party Advisory