Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1432824084554.52187@akamai.com>
Date: Thu, 28 May 2015 14:41:24 +0000
From: "Seaman, Chad" <cseaman@...mai.com>
To: "henri@...v.fi" <henri@...v.fi>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
Subject: Re: Re: CVE Request, multiple WordPress plugins and
 themes

    * extended-catagories-widget [PLUGINS] + url:
    https://wordpress.org/plugins/extended-categories-widget/ +
    vuln found: :--|- post auth admin SQLi

seems to map to this public issue:

    https://wordpress.org/plugins/extended-categories-widget/changelog/
       Last Updated: 2015-5-27
       Version 4.0.1
       Post-Auth SQL Injection Vulnerability
       Only occurs for WordPress versions lower than 3.3

Correct, authors of plugins were notified of these vulnerabilities yesterday, and as the date suggests, some have began pushing out fixes.

________________________________________
From: cve-assign@...re.org <cve-assign@...re.org>
Sent: Thursday, May 28, 2015 7:51 AM
To: henri@...v.fi
Cc: cve-assign@...re.org; oss-security@...ts.openwall.com
Subject: [oss-security] Re: CVE Request, multiple WordPress plugins and themes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> One email with all needed details for CVE request per plugin is better
> way to get these assigned.

The MITRE CVE team currently prefers that this request not be re-sent
as a separate message for each plugin.

> https://github.com/RedHatProductSecurity/CVE-HOWTO#how-to-write-a-cve-request

That document is directly applicable to CVE request responses by Kurt
Seifried (including the ones he sent to oss-security up until 2013).
Although the document contains a large amount of useful information,
it is not a document that has been reviewed by the MITRE CVE team. For
the specific topic of WordPress plugins, we would typically need to
know what privileges are required to conduct each attack and -- in
situations with more than one security issue for a single plugin --
whether the vulnerabilities are independently exploitable.

> does not have enough information for CVE request

For the majority of the plugins, the amount of vulnerability detail is
similar to the http://openwall.com/lists/oss-security/2015/05/22/4
case that we discussed here last week. The situation isn't identical,
so we'll try to clarify. As always, MITRE does not make decisions
about the policies of the oss-security list. The current status is
that nobody has objected to the message pattern starting with (for
example) the http://openwall.com/lists/oss-security/2015/05/18/8 post,
in which version information was originally included and the
vulnerability had already been fixed. The
http://openwall.com/lists/oss-security/2015/05/27/6 reporting pattern
is not always the same. First, version information is not directly
included. Second, some of the plugins apparently do not have a
changelog entry indicating that any security problem was recently
fixed. Putting all of this together, the most critical difference may
be that some of these plugin reports are not about "Public security
issues" and would potentially fall outside the scope of this list. So,
our guess is that we can send a response here (with a CVE mapping) for
a subset of this message, e.g.,

    * extended-catagories-widget [PLUGINS] + url:
    https://wordpress.org/plugins/extended-categories-widget/ +
    vuln found: :--|- post auth admin SQLi

seems to map to this public issue:

    https://wordpress.org/plugins/extended-categories-widget/changelog/
       Last Updated: 2015-5-27
       Version 4.0.1
       Post-Auth SQL Injection Vulnerability
       Only occurs for WordPress versions lower than 3.3

but we must not send a response here (with a CVE mapping) for some of
the other parts. If we have misinterpreted that, you can (among other
options) send e-mail directly to only cve-assign@...re.org to tell us.
We will leave it at that for now. There are obviously open questions,
e.g., if someone prefers to send a very large number of
low-information but public WordPress plugin findings, is it still best
to use oss-security.

- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVZwALAAoJEKllVAevmvmsNLUH/3sPYVAJdvAzrBsr5gA8I0Pi
2KDWEA+nolK70uhf+fcGLJtw0HJY+q1C/gtWVVd2VaNCojsBwA0Xz5GyWqk8bzVx
UZX5WgbFbyy5gOQE1Gp49NM5V2KvoZ8YJvLw7hds9XPmpX7lH3MbjXmzDy+p2e1Y
BUlg2Js4noI0VjOBJBreaXNWVoHyI6YbSSRuJWXGEiMWah8dhTvh/i+Kkjr/tO1g
t6kfThgZzdEErBQBbm/hjDxvy5zNRyZiePSRUnEYoTmD3Pj12B5/B861T/d5An8N
BDT+JCb2hcXe5zEXEwu0QFXW3B41z/K0nNGIoD/ZS18rZza1hhY8WBnf3KkQ8Ns=
=Sw75
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.