CVE-2017-14990
Published: 3 October 2017
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
Priority
Status
Package | Release | Status |
---|---|---|
wordpress Launchpad, Ubuntu, Debian |
jammy |
Not vulnerable
(4.8.2+dfsg-2)
|
kinetic |
Not vulnerable
(4.8.2+dfsg-2)
|
|
lunar |
Not vulnerable
(4.8.2+dfsg-2)
|
|
artful |
Not vulnerable
(4.8.2+dfsg-2)
|
|
bionic |
Not vulnerable
(4.8.2+dfsg-2)
|
|
cosmic |
Not vulnerable
(4.8.2+dfsg-2)
|
|
disco |
Not vulnerable
(4.8.2+dfsg-2)
|
|
eoan |
Not vulnerable
(4.8.2+dfsg-2)
|
|
focal |
Not vulnerable
(4.8.2+dfsg-2)
|
|
groovy |
Not vulnerable
(4.8.2+dfsg-2)
|
|
hirsute |
Not vulnerable
(4.8.2+dfsg-2)
|
|
impish |
Not vulnerable
(4.8.2+dfsg-2)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(4.8.2+dfsg-2)
|
|
xenial |
Needed
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Not vulnerable
(4.8.2+dfsg-2)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |