CVE-2017-0907

high-risk
Published 2017-11-13

The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of "Uri.EscapeUriString" that could result in compromise of API keys or other critical resources.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 9eef460c0084afd5c24d66220c8b7a381cf9a1f1
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net
Recurly Client .Net

Affected Vendors

Recurly

References (6)

Vendor Advisory https://dev.recurly.com/page/net-updates
Patch https://github.com/recurly/recurly-client-net/commit/9eef460c0084afd5c24d66220c8...
Permissions Required https://hackerone.com/reports/288635
Vendor Advisory https://dev.recurly.com/page/net-updates
Patch https://github.com/recurly/recurly-client-net/commit/9eef460c0084afd5c24d66220c8...
Permissions Required https://hackerone.com/reports/288635
59
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 25/34 · High