Bug 1039958 – VUL-0: CVE-2017-7178: deluge: CSRF vulnerability

Bug 1039958 - (CVE-2017-7178) VUL-0: CVE-2017-7178: deluge: CSRF vulnerability

(CVE-2017-7178)
Summary:	VUL-0: CVE-2017-7178: deluge: CSRF vulnerability

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE 42.2

Priority:	P3 - Medium Severity: Major
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/182019/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-05-19 16:41 UTC by Andreas Stieger
Modified:	2017-10-25 19:12 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-05-19 16:41:22 UTC

CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation
methodology involves (1) hosting a crafted plugin that executes an arbitrary
program from its __init__.py file and (2) causing the victim to download,
install, and enable this plugin.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7178
http://www.debian.org/security/2017/dsa-3856
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7178.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857903
http://www.cvedetails.com/cve/CVE-2017-7178/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7178
http://www.securityfocus.com/bid/97041
http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
http://seclists.org/fulldisclosure/2017/Mar/6

Comment 2 Andreas Stieger 2017-05-19 16:42:49 UTC

Already submitted with bug 1039815

Comment 3 Andreas Stieger 2017-05-19 16:47:52 UTC

update running

Comment 4 Swamp Workflow Management 2017-06-06 22:09:13 UTC

openSUSE-SU-2017:1497-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1039815,1039958
CVE References: CVE-2017-7178,CVE-2017-9031
Sources used:
openSUSE Leap 42.2 (src):    deluge-1.3.15-3.3.1

Comment 5 Marcus Meissner 2017-10-25 19:12:43 UTC

released