CVE-2016-4793
high
CVSS v3
7.5
CVSS v2
5.0
VIR risk
7.5
Description
CakePHP allows remote attackers to spoof their IP
Predictions
Exploit likelihood
83%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-4793
Vendor advisory: cve@mitre.org — https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 2.8.3-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | cakephp/cakephp | >=1.2.0,<2.6.13 | 2.6.13 |
| Packagist | cakephp/cakephp | >=2.7.0-rc1,<2.7.11 | 2.7.11 |
| Packagist | cakephp/cakephp | >=2.8.0-rc1,<2.8.2 | 2.8.2 |
| Packagist | cakephp/cakephp | >=3.0.0-rc1,<3.0.17 | 3.0.17 |
| Packagist | cakephp/cakephp | >=3.1.0-beta1,<3.1.12 | 3.1.12 |
| Packagist | cakephp/cakephp | >=3.2.0-rc1,<3.2.5 | 3.2.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cakephp | cakephp | {"endIncluding":"3.2.4"} | |
References
- http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
- http://www.securityfocus.com/bid/95846
- https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
- https://support.citrix.com/article/CTX236992
- https://www.exploit-db.com/exploits/39813/
- https://security-tracker.debian.org/tracker/CVE-2016-4793
- https://nvd.nist.gov/vuln/detail/CVE-2016-4793
- https://github.com/cakephp/cakephp/commit/908754649f70bab2b1093942e17c9a46a2fcf6c2
- https://github.com/cakephp/cakephp
- https://www.exploit-db.com/exploits/39813
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.