CVE-2017-8295 - OpenCVE

Vendors	Products
Wordpress	Wordpress

Link	Resource
http://www.debian.org/security/2017/dsa-3870
http://www.securityfocus.com/bid/98295	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038403
https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html	Exploit Technical Description Third Party Advisory
https://wpvulndb.com/vulnerabilities/8807
https://www.exploit-db.com/exploits/41963/	Exploit Third Party Advisory

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-05-04T00:00:00", "descriptions": [{"lang": "en", "value": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "41963", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/41963/"}, {"tags": ["x_refsource_MISC"], "url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html"}, {"name": "DSA-3870", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3870"}, {"name": "1038403", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038403"}, {"name": "98295", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98295"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/8807"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-8295", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "41963", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/41963/"}, {"name": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html", "refsource": "MISC", "url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html"}, {"name": "DSA-3870", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3870"}, {"name": "1038403", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038403"}, {"name": "98295", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98295"}, {"name": "https://wpvulndb.com/vulnerabilities/8807", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/8807"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-8295", "datePublished": "2017-05-04T14:00:00", "dateReserved": "2017-04-27T00:00:00", "dateUpdated": "2017-11-03T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F07CF70-A29C-490E-8728-C51AED224D76", "versionEndIncluding": "4.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message."}, {"lang": "es", "value": "WordPress hasta la versi\u00f3n 4.7.4 se basa en el encabezado HOST de HTTP para un mensaje de correo electr\u00f3nico de restablecimiento de contrase\u00f1a, lo que hace m\u00e1s f\u00e1cil para los atacantes remotos restablecer contrase\u00f1as arbitrarias mediante una solicitud wp-login.php?action=lostpassword especialmente dise\u00f1ada y despu\u00e9s hacer lo necesario para que dicho mensaje se devuelva o sea reenviado, dando lugar a la transmisi\u00f3n de la clave de restablecimiento a un buz\u00f3n en un servidor SMTP controlado por el atacante. Esto est\u00e1 relacionado con el uso problem\u00e1tico de la variable SERVER_NAME en wp-includes/pluggable.php junto con la funci\u00f3n de correo de PHP. La explotaci\u00f3n no es posible en todos los casos porque requiere al menos uno de los siguientes: (1) el atacante puede evitar que la v\u00edctima reciba mensajes de correo electr\u00f3nico durante un per\u00edodo de tiempo prolongado (como 5 d\u00edas), (2) el sistema de correo electr\u00f3nico de la v\u00edctima env\u00eda una respuesta autom\u00e1tica que contiene el mensaje original, o (3) la v\u00edctima compone manualmente una respuesta que contiene el mensaje original."}], "id": "CVE-2017-8295", "lastModified": "2017-11-04T01:29:53.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-04T14:29:00.200", "references": [{"source": "cve@mitre.org", "url": "http://www.debian.org/security/2017/dsa-3870"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98295"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1038403"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html"}, {"source": "cve@mitre.org", "url": "https://wpvulndb.com/vulnerabilities/8807"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/41963/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

JSON object

JSON object

JSON object