exploitDog

CVE-2021-24377

Опубликовано: 21 июн. 2021

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

Ссылки

https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/85c0a564-2e56-413d-bc3a-1039343207e4
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:autoptimize:autoptimize:*:*:*:*:*:wordpress:*:*

Версия до 2.7.8 (исключая)

EPSS

Процентиль: 65%

0.00485

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-362

CWE-362

Связанные уязвимости

GHSA-4639-xx39-q537

github

больше 3 лет назад

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

EPSS

Процентиль: 65%

0.00485

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-362

CWE-362