CVE-2017-5493 — Use of Cryptographically Weak Pseudo-Random Number Generator in Wordpress

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.7%

top 17.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedJan 15

Latest updateMay 13

Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.7.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.7.1+dfsg-1+3

▶NVDwordpress/wordpress4.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-q3gc-45gm-v55m: wp-includes/ms-functions↗2022-05-13

▶

OSV

CVE-2017-5493: wp-includes/ms-functions↗2017-01-15

▶

📋Vendor Advisories

Debian

CVE-2017-5493: wordpress - wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before ...↗2017

▶