CVE-2014-9037

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://wordpress.org/news/2014/11/wordpress-4-0-1/	Vendor Advisory Patch
http://openwall.com/lists/oss-security/2014/11/25/12
http://www.debian.org/security/2014/dsa-3085
http://www.mandriva.com/security/advisories?name=MDVSA-2014:233
http://advisories.mageia.org/MGASA-2014-0493.html
http://www.securitytracker.com/id/1031243

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:mageia_project:mageia:4:::::::*
	cpe:2.3:o:mageia_project:mageia:3:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:wordpress:wordpress:3.8:::::::*
	cpe:2.3:a:wordpress:wordpress:3.9:::::::*
	cpe:2.3:a:wordpress:wordpress:3.9.2:::::::*
	cpe:2.3:a:wordpress:wordpress:3.8.1:::::::*
	cpe:2.3:a:wordpress:wordpress:3.8.2:::::::*
	cpe:2.3:a:wordpress:wordpress:3.8.3:::::::*
	cpe:2.3:a:wordpress:wordpress:3.8.4:::::::*
	cpe:2.3:a:wordpress:wordpress::::::::
	cpe:2.3:a:wordpress:wordpress:3.9.1:::::::*
	cpe:2.3:a:wordpress:wordpress:4.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Information

Published : 2014-11-25 15:59

Updated : 2016-06-30 09:58

NVD link : CVE-2014-9037

Mitre link : CVE-2014-9037

JSON object : View

CWE

CWE-310

Cryptographic Issues

Advertisement

Products Affected

debian

debian_linux

mageia_project

mageia

wordpress

wordpress

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://wordpress.org/news/2014/11/wordpress-4-0-1/", "name": "https://wordpress.org/news/2014/11/wordpress-4-0-1/", "tags": ["Vendor Advisory", "Patch"], "refsource": "CONFIRM"}, {"url": "http://openwall.com/lists/oss-security/2014/11/25/12", "name": "[oss-security] 20141125 Re: WordPress 4.0.1 Security Release", "tags": [], "refsource": "MLIST"}, {"url": "http://www.debian.org/security/2014/dsa-3085", "name": "DSA-3085", "tags": [], "refsource": "DEBIAN"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:233", "name": "MDVSA-2014:233", "tags": [], "refsource": "MANDRIVA"}, {"url": "http://advisories.mageia.org/MGASA-2014-0493.html", "name": "http://advisories.mageia.org/MGASA-2014-0493.html", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securitytracker.com/id/1031243", "name": "1031243", "tags": [], "refsource": "SECTRACK"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-310"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-9037", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-11-25T23:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:mageia_project:mageia:4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:mageia_project:mageia:3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.9.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.8.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.8.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "3.7.4"}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:3.9.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:wordpress:wordpress:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-06-30T16:58Z"}