Candidate: CVE-2017-14990
PublicDate: 2017-10-03 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14990
Description:
 WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but
 stores the analogous wp_users.user_activation_key values as hashes), which
 might make it easier for remote attackers to hijack unactivated user
 accounts by leveraging database read access (such as access gained through
 an unspecified SQL injection vulnerability).
Ubuntu-Description:
Notes:
Bugs:
 https://core.trac.wordpress.org/ticket/38474
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877629
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]

Patches_wordpress:
upstream_wordpress: released (4.8.2+dfsg-2)
precise/esm_wordpress: DNE
trusty_wordpress: ignored (reached end-of-life)
trusty/esm_wordpress: DNE (trusty was needed)
vivid/ubuntu-core_wordpress: DNE
xenial_wordpress: ignored (end of standard support, was needed)
zesty_wordpress: ignored (reached end-of-life)
artful_wordpress: not-affected (4.8.2+dfsg-2)
bionic_wordpress: not-affected (4.8.2+dfsg-2)
cosmic_wordpress: not-affected (4.8.2+dfsg-2)
disco_wordpress: not-affected (4.8.2+dfsg-2)
eoan_wordpress: not-affected (4.8.2+dfsg-2)
focal_wordpress: not-affected (4.8.2+dfsg-2)
groovy_wordpress: not-affected (4.8.2+dfsg-2)
hirsute_wordpress: not-affected (4.8.2+dfsg-2)
impish_wordpress: not-affected (4.8.2+dfsg-2)
jammy_wordpress: not-affected (4.8.2+dfsg-2)
devel_wordpress: not-affected (4.8.2+dfsg-2)