Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 435208 (CVE-2012-4421)

Summary: <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2012-{4421,4422})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: planet, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-16 14:07:19 UTC 
CVE-2012-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4422):
  wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature
  is enabled, does not check for network-administrator privileges before
  performing a network-wide activation of an installed plugin, which might
  allow remote authenticated users to make unintended plugin changes by
  leveraging the Administrator role.

CVE-2012-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4421):
  The create_post function in wp-includes/class-wp-atom-server.php in
  WordPress before 3.4.2 does not perform a capability check, which allows
  remote authenticated users to bypass intended access restrictions and
  publish new posts by leveraging the Contributor role and using the Atom
  Publishing Protocol (aka AtomPub) feature.


Please drop 3.4.1 from tree.
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-16 15:05:32 UTC 
fixed.