We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
% vuls scan wp-vuls % vuls report -format-full-text -ignore-unfixed : Nothing % vuls report -format-full-text wp-vuls (centos7.9.2009) ============================ Total: 2 (Critical:1 High:1 Medium:0 Low:0 ?:0) 2/2 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts 0 installed, 9 WordPress pkgs +----------------+---------------------------------------------------------------------------------------------------+ | CVE-2021-44223 | FIXED | +----------------+---------------------------------------------------------------------------------------------------+ | Max Score | 9.8 CRITICAL (nvd) | | nvd | 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CRITICAL | | nvd | 7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P HIGH | | Summary | WordPress before 5.8 lacks support for the Update URI plugin header. This makes | | | it easier for remote attackers to execute arbitrary code via a supply-chain | | | attack against WordPress installations that use any plugin for which the slug | | | satisfies the naming constraints of the WordPress.org Plugin Directory but is | | | not yet present in that directory. | | Primary Src | https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/ | | Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-44223 | | WordPress | core-5.7.4, FixedIn: 5.8 | | Confidence | 100 / WpScanMatch | | CWE | NVD-CWE-Other: (nvd) | | CWE | https://cwe.mitre.org/data/definitions/NVD-CWE-Other.html | | nvd | https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/ | +----------------+---------------------------------------------------------------------------------------------------+ +----------------+----------------------------------------------------------------------------------+ | CVE-2021-20865 | FIXED | +----------------+----------------------------------------------------------------------------------+ | Max Score | 7.5 HIGH (nvd) | | nvd | 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH | | jvn | 4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MEDIUM | | nvd | 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N MEDIUM | | jvn | 4.0/AV:N/AC:L/Au:S/C:P/I:N/A:N MEDIUM | | Summary | WordPress 用プラグイン Advanced Custom Fields における複数の認証欠如の脆弱性 | | | Delicious Brains が提供する WordPress 用プラグイン Advanced | | | Custom Fields には、次に挙げる複数の認証欠如の脆弱性が存在します。 | | | ・データベース閲覧に関わる認証の欠如 (CWE-862) - CVE-2021-20865 | | | ・ユーザ一覧取得に関わる認証の欠如 (CWE-862) - CVE-2021-20866 | | | ・フィールドグループ移動に関わる認証の欠如 (CWE-862) - CVE-2021-20867 | | | この脆弱性情報は、情報セキュリティ早期警戒パートナーシップに基づき下記の方が | | | IPA に報告し、JPCERT/CC が開発者との調整を行いました。 報告者: | | | 株式会社イエラエセキュリティ 山崎 啓太郎 氏 | | Primary Src | https://www.advancedcustomfields.com/ | | Primary Src | https://nvd.nist.gov/vuln/detail/CVE-2021-20865 | | Primary Src | https://jvndb.jvn.jp/ja/contents/2021/JVNDB-2021-000109.html | | WordPress | advanced-custom-fields-5.9.6, Update: available, FixedIn: 5.11, active | | WordPress | advanced-custom-fields-pro-5.9.6, Update: available, FixedIn: 5.11, active | | Confidence | 100 / WpScanMatch | | Confidence | 100 / WpScanMatch | | CWE | [CWE/SANS Top6] CWE-862: 認証の欠如(CWE-862) (nvd) | | CWE | http://jvndb.jvn.jp/ja/cwe/CWE-862.html | | SANS/CWE Top25 | https://www.sans.org/top25-software-errors/ | +----------------+----------------------------------------------------------------------------------+
reporting fixed pkgs
Please re-run the command using -debug and provide the output below.
-debug
go version
go version go1.16.3 linux/amd64
Go environment (go env):
go env
Vuls environment:
vuls-v0.19.0-build-20211217_102841_2b7294a
config.toml:
command:
The text was updated successfully, but these errors were encountered:
I think the reason is that fixed/unfixed is not taken into account from WpPackageFixStats here.
vuls/models/vulninfos.go
Lines 67 to 86 in 2b7294a
Sorry, something went wrong.
No branches or pull requests
What did you do? (required. The issue will be closed when not provided.)
What did you expect to happen?
reporting fixed pkgs
What happened instead?
Please re-run the command using
-debug
and provide the output below.Steps to reproduce the behaviour
Configuration (MUST fill this out):
go version
):go version go1.16.3 linux/amd64
Go environment (
go env
):Vuls environment:
vuls-v0.19.0-build-20211217_102841_2b7294a
config.toml:
command:
The text was updated successfully, but these errors were encountered: