CVE-2017-0356

high-risk
Published 2018-04-13

A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters.

Do I need to act?

~
5.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Ikiwiki

Affected Vendors

Debian Ikiwiki

References (8)

Third Party Advisory http://www.securityfocus.com/bid/95420
Vendor Advisory https://ikiwiki.info/security/#cve-2017-0356
Exploit https://marc.info/?l=oss-security&m=148418234314276&w=2
Third Party Advisory https://www.debian.org/security/2017/dsa-3760
Third Party Advisory http://www.securityfocus.com/bid/95420
Vendor Advisory https://ikiwiki.info/security/#cve-2017-0356
Exploit https://marc.info/?l=oss-security&m=148418234314276&w=2
Third Party Advisory https://www.debian.org/security/2017/dsa-3760
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 9/34 · Low
Exposure 9/34 · Low