CVE-2021-29504: Improper Certificate Validation

June 7, 2021 (updated June 17, 2021)

WP-CLI is the command-line interface for WordPress. An improper error handling in HTTPS requests management in WP-CLI allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself. The vulnerability stems from the fact that the default behavior of WP_CLI\Utils\http_request() when encountering a TLS handshake error is to disable certificate validation and retry the same request.

References

nvd.nist.gov/vuln/detail/CVE-2021-29504

Detect and mitigate CVE-2021-29504 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →