Open
Description
What did you do? (required. The issue will be closed when not provided.)
% vuls scan wp-vuls
% vuls report -format-full-text -ignore-unfixed
: Nothing
% vuls report -format-full-text
wp-vuls (centos7.9.2009)
============================
Total: 2 (Critical:1 High:1 Medium:0 Low:0 ?:0)
2/2 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 9 WordPress pkgs
+----------------+---------------------------------------------------------------------------------------------------+
| CVE-2021-44223 | FIXED |
+----------------+---------------------------------------------------------------------------------------------------+
| Max Score | 9.8 CRITICAL (nvd) |
| nvd | 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL |
| nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH |
| Summary | WordPress before 5.8 lacks support for the Update URI plugin header. This makes |
| | it easier for remote attackers to execute arbitrary code via a supply-chain |
| | attack against WordPress installations that use any plugin for which the slug |
| | satisfies the naming constraints of the WordPress.org Plugin Directory but is |
| | not yet present in that directory. |
| Primary Src | https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/ |
| Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-44223 |
| WordPress | core-5.7.4, FixedIn: 5.8 |
| Confidence | 100 / WpScanMatch |
| CWE | NVD-CWE-Other: (nvd) |
| CWE | https://cwe.mitre.org/data/definitions/NVD-CWE-Other.html |
| nvd | https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/ |
+----------------+---------------------------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2021-20865 | FIXED |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 7.5 HIGH (nvd) |
| nvd | 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH |
| jvn | 4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MEDIUM |
| nvd | 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N MEDIUM |
| jvn | 4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N MEDIUM |
| Summary | WordPress 用プラグイン Advanced Custom Fields における複数の認証欠如の脆弱性 |
| | Delicious Brains が提供する WordPress 用プラグイン Advanced |
| | Custom Fields には、次に挙げる複数の認証欠如の脆弱性が存在します。 |
| | ・データベース閲覧に関わる認証の欠如 (CWE-862) - CVE-2021-20865 |
| | ・ユーザ一覧取得に関わる認証の欠如 (CWE-862) - CVE-2021-20866 |
| | ・フィールドグループ移動に関わる認証の欠如 (CWE-862) - CVE-2021-20867 |
| | この脆弱性情報は、情報セキュリティ早期警戒パートナーシップに基づき下記の方が |
| | IPA に報告し、JPCERT/CC が開発者との調整を行いました。 報告者: |
| | 株式会社イエラエセキュリティ 山崎 啓太郎 氏 |
| Primary Src | https://www.advancedcustomfields.com/ |
| Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-20865 |
| Primary Src | https://jvndb.jvn.jp/ja/contents/2021/JVNDB-2021-000109.html |
| WordPress | advanced-custom-fields-5.9.6, Update: available, FixedIn: 5.11, active |
| WordPress | advanced-custom-fields-pro-5.9.6, Update: available, FixedIn: 5.11, active |
| Confidence | 100 / WpScanMatch |
| Confidence | 100 / WpScanMatch |
| CWE | [CWE/SANS Top6] CWE-862: 認証の欠如(CWE-862) (nvd) |
| CWE | http://jvndb.jvn.jp/ja/cwe/CWE-862.html |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/ |
+----------------+----------------------------------------------------------------------------------+
What did you expect to happen?
reporting fixed pkgs
What happened instead?
- Current Output
Please re-run the command using -debug and provide the output below.
Steps to reproduce the behaviour
Configuration (MUST fill this out):
- Go version (
go version):
go version go1.16.3 linux/amd64
-
Go environment (
go env): -
Vuls environment:
vuls-v0.19.0-build-20211217_102841_2b7294a
-
config.toml:
-
command: