CVE-2017-8295

Priority
Description
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset
e-mail message, which makes it easier for remote attackers to reset
arbitrary passwords by making a crafted wp-login.php?action=lostpassword
request and then arranging for this message to bounce or be resent, leading
to transmission of the reset key to a mailbox on an attacker-controlled
SMTP server. This is related to problematic use of the SERVER_NAME variable
in wp-includes/pluggable.php in conjunction with the PHP mail function.
Exploitation is not achievable in all cases because it requires at least
one of the following: (1) the attacker can prevent the victim from
receiving any e-mail messages for an extended period of time (such as 5
days), (2) the victim's e-mail system sends an autoresponse containing the
original message, or (3) the victim manually composes a reply containing
the original message.
Notes
Package
Upstream:released (4.7.5+dfsg-2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (4.9.5+dfsg1-1)
Ubuntu 19.10 (Eoan Ermine):not-affected (4.9.5+dfsg1-1)
Ubuntu 20.04 (Focal Fossa):not-affected (4.9.5+dfsg1-1)
More Information

Updated: 2020-01-29 18:49:39 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)