435208 – (CVE-2012-4421) <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2012-{4421,4422})

Bug 435208 (CVE-2012-4421) - <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2012-{4421,4422})

Summary: <www-apps/wordpress-3.4.2: Multiple restriction bypass vulnerabilities (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2012-4421

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-09-16 14:07 UTC by GLSAMaker/CVETool Bot
Modified:	2012-09-16 15:05 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2012-09-16 14:07:19 UTC

CVE-2012-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4422):
  wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature
  is enabled, does not check for network-administrator privileges before
  performing a network-wide activation of an installed plugin, which might
  allow remote authenticated users to make unintended plugin changes by
  leveraging the Administrator role.

CVE-2012-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4421):
  The create_post function in wp-includes/class-wp-atom-server.php in
  WordPress before 3.4.2 does not perform a capability check, which allows
  remote authenticated users to bypass intended access restrictions and
  publish new posts by leveraging the Contributor role and using the Atom
  Publishing Protocol (aka AtomPub) feature.


Please drop 3.4.1 from tree.

Comment 1 Agostino Sarubbo gentoo-dev

2012-09-16 15:05:32 UTC

fixed.