Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In WordPress, `vuls report -ignore-unfixed' can't report fixed pkgs . #1346

Open
shigechika opened this issue Dec 23, 2021 · 1 comment
Open

In WordPress, `vuls report -ignore-unfixed' can't report fixed pkgs . #1346

shigechika opened this issue Dec 23, 2021 · 1 comment
Labels
bug

Comments

@shigechika
Copy link
Contributor

What did you do? (required. The issue will be closed when not provided.)

% vuls scan wp-vuls
% vuls report -format-full-text -ignore-unfixed
 : Nothing
% vuls report -format-full-text
wp-vuls (centos7.9.2009)
============================
Total: 2 (Critical:1 High:1 Medium:0 Low:0 ?:0)
2/2 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 9 WordPress pkgs

+----------------+---------------------------------------------------------------------------------------------------+
| CVE-2021-44223 | FIXED                                                                                             |
+----------------+---------------------------------------------------------------------------------------------------+
| Max Score      | 9.8 CRITICAL (nvd)                                                                                |
| nvd            | 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL                                         |
| nvd            | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH                                                               |
| Summary        | WordPress before 5.8 lacks support for the Update URI plugin header. This makes                   |
|                | it easier for remote attackers to execute arbitrary code via a supply-chain                       |
|                | attack against WordPress installations that use any plugin for which the slug                     |
|                | satisfies the naming constraints of the WordPress.org Plugin Directory but is                     |
|                | not yet present in that directory.                                                                |
| Primary Src    | https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/ |
| Primary Src    | https://nvd.nist.gov/vuln/detail/CVE-2021-44223                                                   |
| WordPress      | core-5.7.4, FixedIn: 5.8                                                                          |
| Confidence     | 100 / WpScanMatch                                                                                 |
| CWE            | NVD-CWE-Other:  (nvd)                                                                             |
| CWE            | https://cwe.mitre.org/data/definitions/NVD-CWE-Other.html                                         |
| nvd            | https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/               |
+----------------+---------------------------------------------------------------------------------------------------+

+----------------+----------------------------------------------------------------------------------+
| CVE-2021-20865 | FIXED                                                                            |
+----------------+----------------------------------------------------------------------------------+
| Max Score      | 7.5 HIGH (nvd)                                                                   |
| nvd            | 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH                            |
| jvn            | 4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MEDIUM                          |
| nvd            | 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N MEDIUM                                            |
| jvn            | 4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N MEDIUM                                            |
| Summary        | WordPress 用プラグイン Advanced Custom Fields における複数の認証欠如の脆弱性     |
|                | Delicious Brains が提供する WordPress 用プラグイン Advanced                      |
|                | Custom Fields には、次に挙げる複数の認証欠如の脆弱性が存在します。               |
|                | ・データベース閲覧に関わる認証の欠如 (CWE-862) - CVE-2021-20865                  |
|                | ・ユーザ一覧取得に関わる認証の欠如 (CWE-862) - CVE-2021-20866                    |
|                | ・フィールドグループ移動に関わる認証の欠如 (CWE-862) - CVE-2021-20867            |
|                | この脆弱性情報は、情報セキュリティ早期警戒パートナーシップに基づき下記の方が     |
|                | IPA に報告し、JPCERT/CC が開発者との調整を行いました。 報告者:                   |
|                | 株式会社イエラエセキュリティ 山崎 啓太郎 氏                                      |
| Primary Src    | https://www.advancedcustomfields.com/                                            |
| Primary Src    | https://nvd.nist.gov/vuln/detail/CVE-2021-20865                                  |
| Primary Src    | https://jvndb.jvn.jp/ja/contents/2021/JVNDB-2021-000109.html                     |
| WordPress      | advanced-custom-fields-5.9.6, Update: available, FixedIn: 5.11, active           |
| WordPress      | advanced-custom-fields-pro-5.9.6, Update: available, FixedIn: 5.11, active       |
| Confidence     | 100 / WpScanMatch                                                                |
| Confidence     | 100 / WpScanMatch                                                                |
| CWE            | [CWE/SANS Top6]  CWE-862: 認証の欠如(CWE-862) (nvd)                              |
| CWE            | http://jvndb.jvn.jp/ja/cwe/CWE-862.html                                          |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/                                      |
+----------------+----------------------------------------------------------------------------------+

What did you expect to happen?

reporting fixed pkgs

What happened instead?

  • Current Output

Please re-run the command using -debug and provide the output below.

Steps to reproduce the behaviour

Configuration (MUST fill this out):

  • Go version (go version):

go version go1.16.3 linux/amd64

  • Go environment (go env):

  • Vuls environment:

vuls-v0.19.0-build-20211217_102841_2b7294a

  • config.toml:

  • command:
@shigechika shigechika added the bug label Dec 23, 2021
@MaineK00n
Copy link
Collaborator

MaineK00n commented Dec 24, 2021
edited

I think the reason is that fixed/unfixed is not taken into account from WpPackageFixStats here.

vuls/models/vulninfos.go

Lines 67 to 86 in 2b7294a

// FilterUnfixed filter unfixed CVE-IDs
func (v VulnInfos) FilterUnfixed(ignoreUnfixed bool) (_ VulnInfos, nFiltered int) {
if !ignoreUnfixed {
return v, 0
}
return v.Find(func(v VulnInfo) bool {
// Report cves detected by CPE because Vuls can't know 'fixed' or 'unfixed'
if len(v.CpeURIs) != 0 {
return true
}
NotFixedAll := true
for _, p := range v.AffectedPackages {
NotFixedAll = NotFixedAll && p.NotFixedYet
}
if NotFixedAll {
nFiltered++
}
return !NotFixedAll
}), nFiltered
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shigechika @MaineK00n