Candidate: CVE-2017-7178
PublicDate: 2017-03-18 20:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7178
 http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
 http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
 http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
 http://seclists.org/fulldisclosure/2017/Mar/6
 https://bugs.debian.org/857903
Description:
 CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation
 methodology involves (1) hosting a crafted plugin that executes an
 arbitrary program from its __init__.py file and (2) causing the victim to
 download, install, and enable this plugin.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857903
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_deluge:
upstream_deluge: released (1.3.13+git20161130.48cedf63-2, 1.3.14)
precise_deluge: ignored (reached end-of-life)
precise/esm_deluge: DNE (precise was needed)
trusty_deluge: ignored (reached end-of-life)
trusty/esm_deluge: DNE (trusty was needed)
vivid/stable-phone-overlay_deluge: DNE
vivid/ubuntu-core_deluge: DNE
xenial_deluge: ignored (end of standard support, was needed)
yakkety_deluge: ignored (reached end-of-life)
zesty_deluge: ignored (reached end-of-life)
artful_deluge: ignored (reached end-of-life)
bionic_deluge: not-affected (1.3.15-2)
cosmic_deluge: not-affected (1.3.15-2)
disco_deluge: not-affected (1.3.15-2)
eoan_deluge: not-affected (1.3.15-2)
focal_deluge: not-affected (1.3.15-2)
groovy_deluge: not-affected (1.3.15-2)
hirsute_deluge: not-affected (1.3.15-2)
impish_deluge: not-affected (1.3.15-2)
jammy_deluge: not-affected (1.3.15-2)
devel_deluge: not-affected (1.3.15-2)