Source: dokuwiki Version: 0.0.20160626.a-1 Severity: important Tags: security upstream Forwarded: https://github.com/splitbrain/dokuwiki/issues/1708
Hi, the following vulnerability was published for dokuwiki. No fix upstream AFAICS yet. CVE-2016-7964[0]: | The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php | in DokuWiki 2016-06-26a and older, when media file fetching is enabled, | has no way to restrict access to private networks. This allows users to | scan ports of internal networks via SSRF, such as 10.0.0.1/8, | 172.16.0.0/12, and 192.168.0.0/16. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-7964 [1] https://github.com/splitbrain/dokuwiki/issues/1708 Please adjust the affected versions in the BTS as needed. Regards, Salvatore