CVE-2009-2335 - OpenCVE

WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Wordpress	Wordpress Wordpress Mu

Configuration 1 [-]

OR	cpe:2.3:a:wordpress:wordpress::::::::
	cpe:2.3:a:wordpress:wordpress_mu::::::::

References

Link	Resource
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked	Exploit Third Party Advisory
http://securitytracker.com/id?1022528	Third Party Advisory VDB Entry
http://www.exploit-db.com/exploits/9110	Third Party Advisory VDB Entry
http://www.osvdb.org/55713	Broken Link
http://www.securityfocus.com/archive/1/504795/100/0/threaded	Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/35581	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/1833	Patch Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-07-10T20:25:00

Updated: 2018-10-10T18:57:01

Reserved: 2009-07-05T00:00:00

Link: CVE-2009-2335

JSON object: View

NVD Information

Status : Analyzed

Published: 2009-07-10T21:00:00.203

Modified: 2018-11-08T20:38:55.627

Link: CVE-2009-2335

JSON object: View

Redhat Information

No data.

CWE

CWE-16

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-07-08T00:00:00", "descriptions": [{"lang": "en", "value": "WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for \"user convenience.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "FEDORA-2009-8538", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html"}, {"tags": ["x_refsource_MISC"], "url": "http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked"}, {"name": "FEDORA-2009-7729", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html"}, {"name": "20090708 CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/504795/100/0/threaded"}, {"name": "1022528", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1022528"}, {"name": "FEDORA-2009-7701", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html"}, {"name": "ADV-2009-1833", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/1833"}, {"name": "FEDORA-2009-8529", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html"}, {"name": "55713", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/55713"}, {"name": "9110", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/9110"}, {"name": "35581", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/35581"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-2335", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for \"user convenience.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2009-8538", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html"}, {"name": "http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked", "refsource": "MISC", "url": "http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked"}, {"name": "FEDORA-2009-7729", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html"}, {"name": "20090708 CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/504795/100/0/threaded"}, {"name": "1022528", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1022528"}, {"name": "FEDORA-2009-7701", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html"}, {"name": "ADV-2009-1833", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1833"}, {"name": "FEDORA-2009-8529", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html"}, {"name": "55713", "refsource": "OSVDB", "url": "http://www.osvdb.org/55713"}, {"name": "9110", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/9110"}, {"name": "35581", "refsource": "BID", "url": "http://www.securityfocus.com/bid/35581"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-2335", "datePublished": "2009-07-10T20:25:00", "dateReserved": "2009-07-05T00:00:00", "dateUpdated": "2018-10-10T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "513237CD-92E3-46CD-8221-88F36B243101", "versionEndExcluding": "2.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress_mu:*:*:*:*:*:*:*:*", "matchCriteriaId": "1327C621-452A-4BA4-B2E7-28AE4533DCC1", "versionEndExcluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for \"user convenience.\""}, {"lang": "es", "value": "WordPress y WordPress MU anterior a v2.8.1 expone un comportamiento diferente para un intento fallido de acceso en funci\u00f3n de si existe la cuenta de usuario, lo cual permite a atacantes remotos enumerar nombres de usuario v\u00e1lidos. NOTA: el proveedor informa de que cuestiona la importancia de esta incidencia, indicando que el comportamiento existe para conveniencia del usuario."}], "id": "CVE-2009-2335", "lastModified": "2018-11-08T20:38:55.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-07-10T21:00:00.203", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://securitytracker.com/id?1022528"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.exploit-db.com/exploits/9110"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.osvdb.org/55713"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/504795/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/35581"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/1833"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-16"}], "source": "nvd@nist.gov", "type": "Primary"}]}