CVE-2018-5702

Priority
Medium
Description
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not
a forbidden header for Fetch) for access control, which allows remote
attackers to execute arbitrary RPC commands, and consequently write to
arbitrary files, via POST requests to /transmission/rpc in conjunction with
a DNS rebinding attack.
References
Bugs
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (2.82-1.1ubuntu3.2)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.84-3ubuntu3.1)
Ubuntu 17.10 (Artful Aardvark):released (2.92-2ubuntu3.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.92-3ubuntu1)
More Information

Updated: 2018-01-30 20:14:18 UTC (commit 14092)