7.5

CVE-2017-5493

EPSS 1.67%
Veröffentlicht 15.01.2017 02:59:03
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version <= 4.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.67%	0.815

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

http://www.openwall.com/lists/oss-security/2017/01/14/6

Third Party Advisory

Mailing List

http://www.securitytracker.com/id/1037591

https://codex.wordpress.org/Version_4.7.1

Vendor Advisory

Release Notes

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

Vendor Advisory

http://www.debian.org/security/2017/dsa-3779

http://www.securityfocus.com/bid/95401

https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4

Patch

https://wpvulndb.com/vulnerabilities/8721

https://nvd.nist.gov/vuln/detail/CVE-2017-5493

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-5493

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-5493

EUVD