[oss-security] 20140813 Re: WordPress 3.9.2 release - needs CVE's

DSA-3001

https://core.trac.wordpress.org/changeset/29408

https://wordpress.org/news/2014/08/wordpress-3-9-2/

Versions of WordPress 3.7.x prior to 3.7.4 , 3.8.x prior to 3.8.4 , and 3.9.x prior to 3.9.2 are susceptible to the following vulnerabilities : 

  - An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4.
 - An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service. This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4.
 - An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected.
 - A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4.
 - A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1.

Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure.

More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Upstream announcement:
http://wordpress.org/news/2014/08/wordpress-3-9-2/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities :

  - An XML injection flaw exists within 'getid3.lib.php'     due to the parser accepting XML external entities     from untrusted sources. Using specially crafted XML     data, a remote attacker could access sensitive     information or cause a denial of service. This affects     versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4.

  - An XML injection flaw exists within 'xmlrpc.php' due to     the parser accepting XML internal entities without     properly validating them. Using specially crafted XML     data, a remote attacker could cause a denial of service.
    This affects versions 1.5 - 3.9.1, except 3.7.4 and     3.8.4.

  - An unsafe serialization flaw exists in the script     '/src/wp-includes/class-wp-customize-widgets.php' when     processing widgets. This could allow a remote attacker     to execute arbitrary code. Versions 3.9 and 3.9.1     non-default configurations are affected.

  - A flaw exists when building CSRF tokens due to it not     separating pieces by delimiter and not comparing nonces     in a time-constant manner. This could allow a remote     attacker to conduct a brute force attack and potentially     disclose the CSRF token. This affects versions 2.0.3 -     3.9.1, except 3.7.4 and 3.8.4.

  - A cross-site scripting flaw exists in the function     'get_avatar' within the '/src/wp-includes/pluggable.php'     script where input from the avatars is not validated     before returning it to the user. Using a specially     crafted request, an authenticated attacker could execute     arbitrary script code within the browser / server trust     relationship. This affects version 3.9.1.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/.

ID	Name	Product	Family	Severity
9025	WordPress < 3.7.4 / 3.8.x < 3.8.4 / 3.9.x < 3.9.2 Multiple Vulnerabilities	Nessus Network Monitor	CGI	high
82202	Debian DLA-56-1 : wordpress security update	Nessus	Debian Local Security Checks	high
77347	Fedora 19 : wordpress-3.9.2-3.fc19 (2014-9270)	Nessus	Fedora Local Security Checks	high
77312	Fedora 20 : wordpress-3.9.2-3.fc20 (2014-9264)	Nessus	Fedora Local Security Checks	high
77157	WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities	Nessus	CGI abuses	high
77102	Debian DSA-3001-1 : wordpress - security update	Nessus	Debian Local Security Checks	high

CVE-2014-5205

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high