CVE-2014-5265
Published: 18 August 2014
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
drupal6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lucid |
Ignored
(end of life)
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
drupal7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.32-1)
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(7.31-1)
|
|
| utopic |
Not vulnerable
(7.32-1)
|
|
| vivid |
Not vulnerable
(7.32-1)
|
|
| wily |
Not vulnerable
(7.32-1)
|
|
| xenial |
Not vulnerable
(7.32-1)
|
|
| yakkety |
Not vulnerable
(7.32-1)
|
|
| zesty |
Not vulnerable
(7.32-1)
|
|
|
wordpress Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| cosmic |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| disco |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| focal |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| jammy |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| kinetic |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| lucid |
Ignored
(end of life)
|
|
| lunar |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| mantic |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(3.8.2+dfsg-1ubuntu0.1)
|
|
| upstream |
Released
(3.9.2+dfsg-1)
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Not vulnerable
(3.9.2+dfsg-1)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
References
- https://core.trac.wordpress.org/changeset/29405/branches/3.9
- https://www.drupal.org/SA-CORE-2014-004
- https://wordpress.org/news/2014/08/wordpress-3-9-2/
- https://core.trac.wordpress.org/changeset/29404
- http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
- https://www.cve.org/CVERecord?id=CVE-2014-5265
- NVD
- Launchpad
- Debian