[wp-trac] [WordPress Trac] #57363: WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
WordPress Trac
noreply at wordpress.org
Thu Dec 22 04:19:11 UTC 2022
#57363: WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
------------------------------+------------------------------
Reporter: edavis711 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Pings/Trackbacks | Version: 6.1.1
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
------------------------------+------------------------------
Comment (by peterwilsoncc):
Members of the security team discussed this overnight, they have decided
to work on a fix in public given the issue is already well known.
A provisional patch does exist, but a number of complicated edge cases
remain to be resolved, so it’ll take a bit of work to get it into a commit
worthy state state that doesn’t break existing plugins.
As mentioned in the comment above and the original post disclosing the
issue, exploiting this requires vulnerabilities in multiple systems
outside of WordPress. The WordPress Security Team recommends website
owners always use the DNS servers provided by their hosting provider.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57363#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list