CVE-2017-8295

{"id": "CVE-2017-8295", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2017-05-04T14:29:00.200", "references": [{"url": "http://www.debian.org/security/2017/dsa-3870", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/98295", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id/1038403", "source": "cve@mitre.org"}, {"url": "https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://wpvulndb.com/vulnerabilities/8807", "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/41963/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message."}, {"lang": "es", "value": "WordPress hasta la versi\u00f3n 4.7.4 se basa en el encabezado HOST de HTTP para un mensaje de correo electr\u00f3nico de restablecimiento de contrase\u00f1a, lo que hace m\u00e1s f\u00e1cil para los atacantes remotos restablecer contrase\u00f1as arbitrarias mediante una solicitud wp-login.php?action=lostpassword especialmente dise\u00f1ada y despu\u00e9s hacer lo necesario para que dicho mensaje se devuelva o sea reenviado, dando lugar a la transmisi\u00f3n de la clave de restablecimiento a un buz\u00f3n en un servidor SMTP controlado por el atacante. Esto est\u00e1 relacionado con el uso problem\u00e1tico de la variable SERVER_NAME en wp-includes/pluggable.php junto con la funci\u00f3n de correo de PHP. La explotaci\u00f3n no es posible en todos los casos porque requiere al menos uno de los siguientes: (1) el atacante puede evitar que la v\u00edctima reciba mensajes de correo electr\u00f3nico durante un per\u00edodo de tiempo prolongado (como 5 d\u00edas), (2) el sistema de correo electr\u00f3nico de la v\u00edctima env\u00eda una respuesta autom\u00e1tica que contiene el mensaje original, o (3) la v\u00edctima compone manualmente una respuesta que contiene el mensaje original."}], "lastModified": "2017-11-04T01:29:53.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F07CF70-A29C-490E-8728-C51AED224D76", "versionEndIncluding": "4.7.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}