Details of VAR-201912-1320

ID

VAR-201912-1320

CVE

CVE-2019-19589

TITLE

WordPress for Lever PDF Embedder Plug-in input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013000

DESCRIPTION

The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload process. It only serves the uploaded PDF files and the responsibility of uploading PDF file remains with the Site owner of Wordpress installation, the upload of PDF file is managed by Wordpress core and not by PDF Embedder Plugin. Control & block of polyglot file is required to be taken care at the time of upload, not on showing the file. Moreover, the reference mentions retrieving the files from the browser cache and manually renaming it to jar for executing the file. That refers to a two step non-connected steps which has nothing to do with PDF Embedder. WordPress for Lever PDF Embedder The plug-in contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. Lever PDF Embedder is a PDF viewing plug-in used in it. A security vulnerability exists in WordPress Lever PDF Embedder version 4.4. An attacker could exploit this vulnerability to transmit and execute malicious code

Trust: 1.71

sources: NVD: CVE-2019-19589 // JVNDB: JVNDB-2019-013000 // VULHUB: VHN-152050

AFFECTED PRODUCTS

vendor:	wp pdf	model:	embedder	scope:	eq	version:	4.4	Trust: 1.0
vendor:	lever	model:	pdf embedder	scope:	eq	version:	4.4	Trust: 0.8

sources: JVNDB: JVNDB-2019-013000 // NVD: CVE-2019-19589

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-19589
value:	CRITICAL
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2019-19589
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-19589
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201912-214
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-152050
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-19589
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-152050
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-19589
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2019-19589
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-152050 // JVNDB: JVNDB-2019-013000 // CNNVD: CNNVD-201912-214 // NVD: CVE-2019-19589 // NVD: CVE-2019-19589

PROBLEMTYPE DATA

problemtype:	CWE-436	Trust: 1.0
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-152050 // JVNDB: JVNDB-2019-013000 // NVD: CVE-2019-19589

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-214

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201912-214

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013000

PATCH

title:

PDF Embedder

url:

https://wordpress.org/plugins/pdf-embedder/#developers

Trust: 0.8

sources: JVNDB: JVNDB-2019-013000

EXTERNAL IDS

db:	NVD	id:	CVE-2019-19589	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-013000	Trust: 0.8
db:	CNNVD	id:	CNNVD-201912-214	Trust: 0.7
db:	VULHUB	id:	VHN-152050	Trust: 0.1

sources: VULHUB: VHN-152050 // JVNDB: JVNDB-2019-013000 // CNNVD: CNNVD-201912-214 // NVD: CVE-2019-19589

REFERENCES

url:	https://sejalivre.org/usando-arquivos-polyglot-para-distribuir-malwares/	Trust: 2.5
url:	https://wordpress.org/plugins/pdf-embedder/#developers	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-19589	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19589	Trust: 0.8

sources: VULHUB: VHN-152050 // JVNDB: JVNDB-2019-013000 // CNNVD: CNNVD-201912-214 // NVD: CVE-2019-19589

SOURCES

db:	VULHUB	id:	VHN-152050
db:	JVNDB	id:	JVNDB-2019-013000
db:	CNNVD	id:	CNNVD-201912-214
db:	NVD	id:	CVE-2019-19589

LAST UPDATE DATE

2024-11-23T22:44:46.415000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-152050	date:	2020-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-013000	date:	2019-12-18T00:00:00
db:	CNNVD	id:	CNNVD-201912-214	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2019-19589	date:	2024-11-21T04:35:00.313

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-152050	date:	2019-12-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-013000	date:	2019-12-18T00:00:00
db:	CNNVD	id:	CNNVD-201912-214	date:	2019-12-04T00:00:00
db:	NVD	id:	CVE-2019-19589	date:	2019-12-05T04:15:11.677