Vulnerability Details : CVE-2019-17669
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
Vulnerability category: Server-side request forgery (SSRF)
Products affected by CVE-2019-17669
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-17669
Top countries where our scanners detected CVE-2019-17669
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-17669 3,013
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-17669!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-17669
11.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17669
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-17669
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17669
-
https://www.debian.org/security/2020/dsa-4599
Debian -- Security Information -- DSA-4599-1 wordpressThird Party Advisory
-
https://seclists.org/bugtraq/2020/Jan/8
Bugtraq: [SECURITY] [DSA 4599-1] wordpress security updateMailing List;Third Party Advisory
-
https://core.trac.wordpress.org/changeset/46475
Changeset 46475 – WordPress TracVendor Advisory
-
https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92e2120ea
HTTP API: Protect against hex interpretation. · WordPress/WordPress@608d39f · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/11/msg00000.html
[SECURITY] [DLA 1980-1] wordpress security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4677
Debian -- Security Information -- DSA-4677-1 wordpressThird Party Advisory
-
https://wpvulndb.com/vulnerabilities/9912
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL ValidationThird Party Advisory
-
https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
WordPress 5.2.4 Security Release BreakdownThird Party Advisory
-
https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
News – WordPress 5.2.4 Security Release – WordPress.orgRelease Notes;Vendor Advisory
Jump to