Lucene search

K
cve[email protected]CVE-2021-29504
HistoryJun 07, 2021 - 9:15 p.m.

CVE-2021-29504

2021-06-0721:15:08
CWE-295
web.nvd.nist.gov
57
4
wp-cli
wordpress
vulnerability
https
remote attack
certificate verification
tls handshake
update servers
malicious updates
insecure behavior

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

61.4%

WP-CLI is the command-line interface for WordPress. An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself. The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request. The default behavior has been changed with version 2.5.0 of WP-CLI and the wp-cli/wp-cli framework (via https://github.com/wp-cli/wp-cli/pull/5523) so that the WP_CLI\Utils\http_request() method accepts an $insecure option that is false by default and consequently that a TLS handshake failure is a hard error by default. This new default is a breaking change and ripples through to all consumers of WP_CLI\Utils\http_request(), including those in separate WP-CLI bundled or third-party packages. https://github.com/wp-cli/wp-cli/pull/5523 has also added an --insecure flag to the cli update command to counter this breaking change. There is no direct workaround for the default insecure behavior of wp-cli/wp-cli versions before 2.5.0. The workaround for dealing with the breaking change in the commands directly affected by the new secure default behavior is to add the --insecure flag to manually opt-in to the previous insecure behavior.

Affected configurations

Vulners
NVD
Node
wp-cliwp-cliRange<2.5.0
VendorProductVersionCPE
wp\-cliwp\-cli*cpe:2.3:a:wp\-cli:wp\-cli:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "wp-cli",
    "vendor": "wp-cli",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.5.0"
      }
    ]
  }
]

Social References

More

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

61.4%