CVE-2017-9066

EPSS 1.41%
Veröffentlicht 18.05.2017 14:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

WordPress Core < 4.7.5 - Server-Side Request Forgery

In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

Mögliche Gegenmaßnahme

WordPress: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

Weitere Schwachstelleninformationen

SystemWordPress Core

≫

Produkt WordPress

Version [*, 3.7)

Version 3.7 - 3.7.20

Version 3.8 - 3.8.20

Version 3.9 - 3.9.18

Version 4.0 - 4.0.17

Version 4.1 - 4.1.17

Version 4.2 - 4.2.14

Version 4.3 - 4.3.10

Version 4.4 - 4.4.9

Version 4.5 - 4.5.8

Version 4.6 - 4.6.5

Version 4.7 - 4.7.4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version <= 4.7.4

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.41%	0.799

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.6	3.9	4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

http://www.securityfocus.com/bid/98509

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1038520

Third Party Advisory

VDB Entry

https://codex.wordpress.org/Version_4.7.5

Patch

Release Notes

https://wordpress.org/news/2017/05/wordpress-4-7-5/

Patch

Vendor Advisory