Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 435208 (CVE-2012-4421) - <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2012-{4421,4422})
Summary: <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-4421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-16 14:07 UTC by GLSAMaker/CVETool Bot
Modified: 2012-09-16 15:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-16 14:07:19 UTC
CVE-2012-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4422):
  wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature
  is enabled, does not check for network-administrator privileges before
  performing a network-wide activation of an installed plugin, which might
  allow remote authenticated users to make unintended plugin changes by
  leveraging the Administrator role.

CVE-2012-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4421):
  The create_post function in wp-includes/class-wp-atom-server.php in
  WordPress before 3.4.2 does not perform a capability check, which allows
  remote authenticated users to bypass intended access restrictions and
  publish new posts by leveraging the Contributor role and using the Atom
  Publishing Protocol (aka AtomPub) feature.


Please drop 3.4.1 from tree.
Comment 1 Agostino Sarubbo gentoo-dev 2012-09-16 15:05:32 UTC
fixed.