NVD Vulnerability Detail

CVE-2017-8295

Summary	WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
Publication Date	May 4, 2017, 11:29 p.m.
Registration Date	Jan. 26, 2021, 1:29 p.m.
Last Update	Nov. 21, 2024, 12:33 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:wordpress:wordpress::::::::			4.7.4

Related information, measures and tools

No	URL	タグ
1	http://www.debian.org/security/2017/dsa-3870
2	http://www.debian.org/security/2017/dsa-3870
3	http://www.securityfocus.com/bid/98295	Third Party Advisory VDB Entry
4	http://www.securityfocus.com/bid/98295	Third Party Advisory VDB Entry
5	http://www.securitytracker.com/id/1038403
6	http://www.securitytracker.com/id/1038403
7	https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html	Exploit Technical Description Third Party Advisory
8	https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html	Exploit Technical Description Third Party Advisory
9	https://wpvulndb.com/vulnerabilities/8807
10	https://wpvulndb.com/vulnerabilities/8807
11	https://www.exploit-db.com/exploits/41963/	Exploit Third Party Advisory
12	https://www.exploit-db.com/exploits/41963/	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-640	パスワードを忘れた場合の脆弱なパスワードリカバリの仕組み	https://cwe.mitre.org/data/definitions/640.html

JVN Vulnerability Information

WordPress におけるパスワード管理機能に関する脆弱性

Title	WordPress におけるパスワード管理機能に関する脆弱性
Summary	WordPress には、wp-includes/pluggable.php の SERVER_NAME 変数が PHP のメール機能に不備があるため、パスワード管理機能に関する脆弱性が存在します。
Possible impacts	リモートの攻撃者により、巧妙に細工された wp-login.php？action=lostpassword リクエストを介して、SMTP サーバ上のメールボックスにリセットキーを送信する可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	May 3, 2017, midnight
Registration Date	May 19, 2017, 3:55 p.m.
Last Update	May 19, 2017, 3:55 p.m.

Affected System

WordPress.org

WordPress 4.7.4 まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-8295	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
National Vulnerability Database (NVD)
2	CVE-2017-8295	https://nvd.nist.gov/vuln/detail/CVE-2017-8295

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-640	https://cwe.mitre.org/data/definitions/640.html

ベンダー情報

No	Name	URL
WordPress.org
1	Top Page	https://wordpress.org/

その他

No	Name	URL
関連文書
1	WordPress Password Reset CVE-2017-8295 Security Bypass Vulnerability	http://www.securityfocus.com/bid/98295

Change Log

No	Changed Details	Date of change
0	[2017年05月19日] 掲載	Feb. 17, 2018, 10:37 a.m.