CVE-2014-5266
published 2014-08-18CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in…
PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
24.39%
97.6th percentile
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
Affected
102 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 3.9.2+dfsg-1 (bookworm) | wordpress 3.9.2+dfsg-1 (bookworm) |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for abnormally large XML POST bodies sent to xmlrpc.php, which is the attack vector for this XML element count exhaustion DoS. ↗
- →All WordPress and Drupal sites exposing xmlrpc.php are vulnerable regardless of whether XML-RPC functionality is actively used. ↗
- →The specific fix was to bail/skip parsing when an unreasonably large number of XML tags/elements is present in the document — detect requests where XML element count is excessively high. ↗
- →The OpenID module endpoint (xrds.inc) is also an attack surface on sites with OpenID enabled, in addition to xmlrpc.php. ↗
- →Metasploit auxiliary module exists for this DoS; watch for its characteristic large XML-RPC POST requests to WordPress xmlrpc.php. ↗
- ·Affected versions span WordPress 3.5 through 3.9.2 (patched in 3.9.2, 3.8.4, 3.7.4) and Drupal 6.x before 6.33 / 7.x before 7.31; detection should account for all these version ranges. ↗
- ·The vulnerability is in the shared IXR Library used by both WordPress and Drupal; any application embedding this library may also be affected. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-5266: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...
vendor_debian·2014·CVSS 5.0
CVE-2014-5266 [MEDIUM] CVE-2014-5266: wordpress - The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal ...
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
Scope: local
bookworm: resolved (fixed in 3.9.2+dfsg-1)
bullseye: resolved (fixed in 3.9.2+dfsg-1)
forky: resolved (fixed in 3.9.2+dfsg-1)
sid: resolved (fixed in 3.9.2+dfsg-1)
trixie: resolved (fixed in 3.9.2+dfsg-1)
GHSA
GHSA-mqgc-42gw-w5hm: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2014-5266 [MEDIUM] GHSA-mqgc-42gw-w5hm: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
OSV
CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
osv·2014-08-18·CVSS 5.0
CVE-2014-5266 [MEDIUM] CVE-2014-5266: The Incutio XML-RPC (IXR) Library, as used in WordPress before 3
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
No detection rules found.
Bugzilla
CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
bugzilla·2014-08-07·CVSS 5.0
CVE-2014-5265 [MEDIUM] CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
The upstream Drupal 6.33 and 7.31 releases fix the following issue:
""
Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).
All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.
In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).
""
Re
Bugzilla
CVE-2014-5265 CVE-2014-5266 wordpress: security issues fixed in version 3.9.2
bugzilla·2014-08-07·CVSS 5.0
CVE-2014-5265 [MEDIUM] CVE-2014-5265 CVE-2014-5266 wordpress: security issues fixed in version 3.9.2
CVE-2014-5265 CVE-2014-5266 wordpress: security issues fixed in version 3.9.2
The WordPress 3.9.2 release fixes the following security issue:
""
This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.
""
A number of other security-related issues (that may receive CVEs) were fixed in this release. Refer to the upstream announcement for further details:
https://wordpress.org/news/2014/08/wordpress-3-9-2/
CVE request:
http://www.openwall.com/lists/oss-security/2014/08/07/2
Discussion:
http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830http://www.debian.org/security/2014/dsa-2999http://www.debian.org/security/2014/dsa-3001https://core.trac.wordpress.org/changeset/29404https://wordpress.org/news/2014/08/wordpress-3-9-2/https://www.drupal.org/SA-CORE-2014-004http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830http://www.debian.org/security/2014/dsa-2999http://www.debian.org/security/2014/dsa-3001https://core.trac.wordpress.org/changeset/29404https://wordpress.org/news/2014/08/wordpress-3-9-2/https://www.drupal.org/SA-CORE-2014-004
2014-08-18
Published