CVE-2021-29476

EPSS 2.22%
Veröffentlicht 27.04.2021 21:15:08
Zuletzt bearbeitet 21.11.2024 06:01:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Insecure Deserialization of untrusted data in rmccue/requests

WordPress Core < 5.5.3 - PHP Object Injection Gadget

Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.

Mögliche Gegenmaßnahme

WordPress: Update to one of the following versions, or a newer patched version: 3.7.35, 3.8.35, 3.9.33, 4.0.32, 4.1.32, 4.2.29, 4.3.25, 4.4.24, 4.5.23, 4.6.20, 4.7.19, 4.8.15, 4.9.16, 5.0.11, 5.1.8, 5.2.9, 5.3.6, 5.4.4, 5.5.3

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wordpress ≫ Requests Version1.6.0

Wordpress ≫ Requests Version1.6.1

Wordpress ≫ Requests Version1.7.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Core

≫

Produkt WordPress

Version [*, 3.7)

Version [3.7, 3.7.35)

Version [3.8, 3.8.35)

Version [3.9, 3.9.33)

Version [4.0, 4.0.32)

Version [4.1, 4.1.32)

Version [4.2, 4.2.29)

Version [4.3, 4.3.25)

Version [4.4, 4.4.24)

Version [4.5, 4.5.23)

Version [4.6, 4.6.20)

Version [4.7, 4.7.19)

Version [4.8, 4.8.15)

Version [4.9, 4.9.16)

Version [5.0, 5.0.11)

Version [5.1, 5.1.8)

Version [5.2, 5.2.9)

Version [5.3, 5.3.6)

Version [5.4, 5.4.4)

Version [5.5, 5.5.3)

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.22%	0.83

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54

Third Party Advisory

https://github.com/rmccue/Requests/pull/421

Patch

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6345d360-5f58-44d2-bc2d-1a20ee43e146

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-29476

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-29476

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-29476

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-29476