CVE-2011-4898

2022-10-0316:15:14

Debian Security Bug Tracker

security-tracker.debian.org

cve-2011-4898

wordpress

installation component

error messages

remote attackers

brute-force attacks

vendor disputes

usability concern

mysql credentials

vague error messages

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

6.2 Medium

AI Score

Confidence

Low

0.005 Low

EPSS

Percentile

76.9%

JSON

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective

OSVersionArchitecturePackageVersionFilename
Debian12allwordpress<= 6.1.6+dfsg1-0+deb12u1wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian11allwordpress<= 5.7.11+dfsg1-0+deb11u1wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian999allwordpress<= 6.5.5+dfsg1-1wordpress_6.5.5+dfsg1-1_all.deb
Debian13allwordpress<= 6.5.5+dfsg1-1wordpress_6.5.5+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	wordpress	<= 6.1.6+dfsg1-0+deb12u1	wordpress_6.1.6+dfsg1-0+deb12u1_all.deb
Debian	11	all	wordpress	<= 5.7.11+dfsg1-0+deb11u1	wordpress_5.7.11+dfsg1-0+deb11u1_all.deb
Debian	999	all	wordpress	<= 6.5.5+dfsg1-1	wordpress_6.5.5+dfsg1-1_all.deb
Debian	13	all	wordpress	<= 6.5.5+dfsg1-1	wordpress_6.5.5+dfsg1-1_all.deb