“CVEs”的版本间的差异

来自WordPress中文文档
跳转至: 导航搜索
(1个修订)
2009
第1行: 第1行:
CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the [http://nvd.nist.gov/ National Vulnerability Database] run by the Department of Homeland Security.
+
CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the [http://nvd.nist.gov/ National Vulnerability Database] [http://web.nvd.nist.gov/view/vuln/search?execution=e1s1 2]. NVD is a product of the [http://csrc.nist.gov/ NIST Computer Security Division].
  
Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted.
+
Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted. The Date used is the date of the report going public and not the day the vulnerability was discovered.
  
 
In terms of security of your WordPress blog, being on the [http://www.wordpress.org/download/ latest version of WordPress] is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.
 
In terms of security of your WordPress blog, being on the [http://www.wordpress.org/download/ latest version of WordPress] is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.
 +
 +
WordPress uses third party applications like the Apache webserver, the PHP scripting language and the MySQL database. You should keep these versions current as well. Reports for these third party applications are not listed on this page.
 +
 +
Additionally you can take precaution actions by using [http://www.hardened-php.net/suhosin/ Suhosin], an advanced protection system for PHP installations.
 +
 +
== 2009 ==
 +
16 total CVEs, 1 apply to plugins, 15 apply to core, 0 to legacy, and 0 are invalid. (for 2009 mostly core CVEs listed here, too many plugins)
 +
table
 +
tr
 +
th width=125CVE ID/th
 +
th width=100Date/th
 +
th width=125Impact/th
 +
thNotes/th
 +
/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3891 CVE-2009-3891]/tdtd2009-11-17/tdtdCore/tdtdXSS/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3890 CVE-2009-3890]/tdtd2009-11-17/tdtdCore/tdtdFile Upload Bypass/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-3622 CVE-2009-3622]/tdtd2009-10-23/tdtdCore/tdtdDenial Of Service/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2854 CVE-2009-2854]/tdtd2009-08-18/tdtdCore/tdtdBoundary Escalation/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2853 CVE-2009-2853]/tdtd2009-08-18/tdtdCore/tdtdPrivelege Escalation/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2851 CVE-2009-2851]/tdtd2009-08-18/tdtdCore/tdtdXSS/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2762 CVE-2009-2762]/tdtd2009-08-13/tdtdCore/tdtdPassword Reset/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2432 CVE-2009-2432]/tdtd2009-07-10/tdtdCore/tdtdInformation Disclosure (as well for WPMU)/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2431 CVE-2009-2431]/tdtd2009-07-10/tdtdCore/tdtdInformation Disclosure/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2336 CVE-2009-2336]/tdtd2009-07-10/tdtdCore/tdtdUser Information Disclosure /td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2335 CVE-2009-2335]/tdtd2009-07-10/tdtdCore/tdtdUser Information Disclosure/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-2334 CVE-2009-2334]/tdtd2009-07-10/tdtdCore/tdtdPrivelege Escalation / Information Disclosure/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6767 CVE-2008-6767]/tdtd2009-04-28/tdtdCore/tdtdDenial Of Service/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]/tdtd2009-03-20/tdtdCore/tdtdOpen Redirect/td
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-1030 CVE-2009-1030]/tdtd2009-03-20/tdtdCore/tdtdWordPress MU below 2.7/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2009-0968 CVE-2009-0968]/tdtd2009-03-19/tdtdPlugin/tdtdnbsp;/td/tr
 +
/table
  
 
== 2008 ==
 
== 2008 ==
  
42 total CVEs, 33 apply to plugins, 3 apply to core, 2 to legacy, and 4 are invalid.
+
59 total CVEs, 40 apply to plugins, 10 apply to core, 3 to legacy, and 6 are invalid.
  
 
table
 
table
第16行: 第47行:
 
thNotes/th
 
thNotes/th
 
/tr
 
/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6811 CVE-2008-6811]/tdtd2009-05-18/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6767 CVE-2008-6767]/tdtd2009-04-28/tdtdInvalid/tdtdSame Report as in [http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-6762 CVE-2008-6762]/tdtd2009-04-28/tdtdCore/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5752 CVE-2008-5752]/tdtd2008-12-30/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5695 CVE-2008-5695]/tdtd2008-12-19/tdtdLegacy Core/tdtdWordPress MU before 1.3.2, and WordPress 2.3.2 and earlier/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5278 CVE-2008-5278]/tdtd2008-11-28/tdtdCore/tdtdWordPress before 2.6.5/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-5113 CVE-2008-5113]/tdtd2008-11-17/tdtdCore/tdtdWordPress 2.6.3/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4769 CVE-2008-4769]/tdtd2008-10-28/tdtdCore/tdtdWordPress 2.3.3 and earlier, and 2.5/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4734 CVE-2008-4734]/tdtd2008-10-24/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4733 CVE-2008-4733]/tdtd2008-10-24/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4671 CVE-2008-4671]/tdtd2008-10-22/tdtdCore/tdtdWordpress MU before 2.6/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4625 CVE-2008-4625]/tdtd2008-10-21/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4616 CVE-2008-4616]/tdtd2008-10-20/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-4106 CVE-2008-4106]/tdtd2008-09-18/tdtdCore/tdtdWordPress before 2.6.2/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3747 CVE-2008-3747]/tdtd2008-08-27/tdtdCore/tdtdWordPress before 2.6.1/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3362 CVE-2008-3362]/tdtd2008-07-30/tdtdPlugin/tdtdnbsp;/td/tr
 +
trtd[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-3233 CVE-2008-3233]/tdtd2008-07-18/tdtdInvalid/tdtdSVN only/td/tr
 +
 
tr
 
tr
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2510 CVE-2008-2510]/td
 
td[http://nvd.nist.gov/nvd.cfm\?cvename=CVE-2008-2510 CVE-2008-2510]/td
第263行: 第312行:
 
/tr
 
/tr
 
/table
 
/table
 +
 +
== See Also ==
 +
* [[User:Here/Exploits]]
 +
 +
[[Category:Advanced Topics]]

2009年12月27日 (日) 15:09的版本

CVE stands for Common Vulnerabilities and Exposures, which is an industry standard way to track security issues in software applications. They are tracked centrally in the National Vulnerability Database 2. NVD is a product of the NIST Computer Security Division.

Although many CVEs mention WordPress, only a few are applicable. Here is a list of CVEs that mention WordPress, organized by year, and whether the CVE impacts WordPress Plugins, the core programming, WordPress.com, or another aspect of WordPress, as well as which version of WordPress was impacted. The Date used is the date of the report going public and not the day the vulnerability was discovered.

In terms of security of your WordPress blog, being on the latest version of WordPress is all you need. WordPress generally fixes vulnerabilities and releases an upgrade or security update version before they become public and are issued a CVE.

WordPress uses third party applications like the Apache webserver, the PHP scripting language and the MySQL database. You should keep these versions current as well. Reports for these third party applications are not listed on this page.

Additionally you can take precaution actions by using Suhosin, an advanced protection system for PHP installations.

2009

16 total CVEs, 1 apply to plugins, 15 apply to core, 0 to legacy, and 0 are invalid. (for 2009 mostly core CVEs listed here, too many plugins) table tr th width=125CVE ID/th th width=100Date/th th width=125Impact/th thNotes/th /tr trtdCVE-2009-3891/tdtd2009-11-17/tdtdCore/tdtdXSS/td trtdCVE-2009-3890/tdtd2009-11-17/tdtdCore/tdtdFile Upload Bypass/td trtdCVE-2009-3622/tdtd2009-10-23/tdtdCore/tdtdDenial Of Service/td trtdCVE-2009-2854/tdtd2009-08-18/tdtdCore/tdtdBoundary Escalation/td trtdCVE-2009-2853/tdtd2009-08-18/tdtdCore/tdtdPrivelege Escalation/td trtdCVE-2009-2851/tdtd2009-08-18/tdtdCore/tdtdXSS/td trtdCVE-2009-2762/tdtd2009-08-13/tdtdCore/tdtdPassword Reset/td trtdCVE-2009-2432/tdtd2009-07-10/tdtdCore/tdtdInformation Disclosure (as well for WPMU)/td trtdCVE-2009-2431/tdtd2009-07-10/tdtdCore/tdtdInformation Disclosure/td trtdCVE-2009-2336/tdtd2009-07-10/tdtdCore/tdtdUser Information Disclosure /td trtdCVE-2009-2335/tdtd2009-07-10/tdtdCore/tdtdUser Information Disclosure/td trtdCVE-2009-2334/tdtd2009-07-10/tdtdCore/tdtdPrivelege Escalation / Information Disclosure/td trtdCVE-2008-6767/tdtd2009-04-28/tdtdCore/tdtdDenial Of Service/td trtdCVE-2008-6762/tdtd2009-03-20/tdtdCore/tdtdOpen Redirect/td trtdCVE-2009-1030/tdtd2009-03-20/tdtdCore/tdtdWordPress MU below 2.7/td/tr trtdCVE-2009-0968/tdtd2009-03-19/tdtdPlugin/tdtdnbsp;/td/tr /table

2008

59 total CVEs, 40 apply to plugins, 10 apply to core, 3 to legacy, and 6 are invalid.

table tr th width=125CVE ID/th th width=100Date/th th width=125Impact/th thNotes/th /tr trtdCVE-2008-6811/tdtd2009-05-18/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-6767/tdtd2009-04-28/tdtdInvalid/tdtdSame Report as in CVE-2008-6762/td/tr trtdCVE-2008-6762/tdtd2009-04-28/tdtdCore/tdtdnbsp;/td/tr trtdCVE-2008-5752/tdtd2008-12-30/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-5695/tdtd2008-12-19/tdtdLegacy Core/tdtdWordPress MU before 1.3.2, and WordPress 2.3.2 and earlier/td/tr trtdCVE-2008-5278/tdtd2008-11-28/tdtdCore/tdtdWordPress before 2.6.5/td/tr trtdCVE-2008-5113/tdtd2008-11-17/tdtdCore/tdtdWordPress 2.6.3/td/tr trtdCVE-2008-4769/tdtd2008-10-28/tdtdCore/tdtdWordPress 2.3.3 and earlier, and 2.5/td/tr trtdCVE-2008-4734/tdtd2008-10-24/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-4733/tdtd2008-10-24/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-4671/tdtd2008-10-22/tdtdCore/tdtdWordpress MU before 2.6/td/tr trtdCVE-2008-4625/tdtd2008-10-21/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-4616/tdtd2008-10-20/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-4106/tdtd2008-09-18/tdtdCore/tdtdWordPress before 2.6.2/td/tr trtdCVE-2008-3747/tdtd2008-08-27/tdtdCore/tdtdWordPress before 2.6.1/td/tr trtdCVE-2008-3362/tdtd2008-07-30/tdtdPlugin/tdtdnbsp;/td/tr trtdCVE-2008-3233/tdtd2008-07-18/tdtdInvalid/tdtdSVN only/td/tr

tr tdCVE-2008-2510/td td2008-05-29/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-2392/td td2008-05-21/td tdInvalid/td tdquot;Adminquot; user has ability to edit plugins and upload files if file permissions allow- this is intentional./td /tr tr tdCVE-2008-2146/td td2008-05-12/td tdInvalid/td tdDescribes a known issue in WordPress 2.2, which was released more than a year before. (Covered by previous CVE.) The problem described was fixed 9 months before this report./td /tr tr tdCVE-2008-2068/td td2008-05-02/td tdCore/td tdquot;Unspecified vectorsquot; were never publicly reported, but fixed in 2.5.1. /td /tr tr tdCVE-2008-2034/td td2008-04-30/td tdPlugin/td td/td /tr tr tdCVE-2008-1930/td td2008-04-28/td tdCore/td tdCookie-based cryptographic splicing attack. Fixed in 2.5.1 prior to disclosure./td /tr tr tdCVE-2008-2146/td td2008-04-27/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-1982/td td2008-04-02/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-1304/td td2008-03-12/td tdWordPress.com/td tdXSS in invite system on WordPress.com, did not apply to WordPress.org blogs at all./td /tr tr tdCVE-2008-1060/td td2008-02-28/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-1059/td td2008-02-28/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0939/td td2008-02-25/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0845/td td2008-02-20/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0837/td td2008-02-20/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0691/td td2008-02-11/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0683/td td2008-02-11/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0682/td td2008-02-11/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0664/td td2008-02-07/td tdCore/td tdIf registration was enabled, an undisclosed vulnerability in XML-RPC. Fixed by 2.5 prior to disclosure./td /tr tr tdCVE-2008-0618/td td2008-02-06/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0617/td td2008-02-06/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0616/td td2008-02-06/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0615/td td2008-02-06/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0560/td td2008-02-04/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0520/td td2008-01-31/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0508/td td2008-01-31/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0507/td td2008-01-31/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0491/td td2008-01-30/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0490/td td2008-01-30/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0388/td td2008-01-22/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0222/td td2008-01-10/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0206/td td2008-01-09/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0205/td td2008-01-09/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0204/td td2008-01-09/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0198/td td2008-01-09/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0197/td td2008-01-09/td tdPlugin/td tdnbsp;/td /tr tr tdCVE-2008-0196/td td2008-01-09/td tdLegacy Core/td tdProblem in legacy 2.0 branch of WordPress, not applicable to current versions./td /tr tr tdCVE-2008-0195/td td2008-01-09/td tdLegacy Core/td tdDisclosure in legacy 2.0 branch of WordPress, not applicable to current versions./td /tr tr tdCVE-2008-0194/td td2008-01-09/td tdPlugin/td tdFixed in version 2.1.0 of this plugin, released 7 months prior to this CVE/td /tr tr tdCVE-2008-0193/td td2008-01-09/td tdPlugin/td tdFixed in version 2.1.0 of this plugin, released 7 months prior to this CVE/td /tr tr tdCVE-2008-0192/td td2008-01-09/td tdInvalid/td tdProblem already fixed by 2.0.10 release 9 months before this CVE./td /tr tr tdCVE-2008-0191/td td2008-01-09/td tdInvalid/td tdCould not recreate in current release (2.3.2) at that time/td /tr /table

See Also