CVE-2016-9646

ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzillas CVE-2014-1572), which can be abused to lead to commit metadata forgery.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/114.html
• https://cwe.mitre.org/data/definitions/115.html
• https://cwe.mitre.org/data/definitions/151.html
• https://cwe.mitre.org/data/definitions/194.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/593.html
• https://cwe.mitre.org/data/definitions/633.html
• https://cwe.mitre.org/data/definitions/650.html
• https://cwe.mitre.org/data/definitions/94.html

References

• https://ikiwiki.info/security/#cve-2016-9646
• https://marc.info/?l=oss-security\u0026m=148304341511854\u0026w=2
• https://security-tracker.debian.org/tracker/CVE-2016-9646
• https://www.debian.org/security/2017/dsa-3760
• https://ikiwiki.info/security/#cve-2016-9646
• https://marc.info/?l=oss-security\u0026m=148304341511854\u0026w=2
• https://security-tracker.debian.org/tracker/CVE-2016-9646
• https://www.debian.org/security/2017/dsa-3760