Bug 1969375 (CVE-2021-29504)

Summary: CVE-2021-29504 wp-cli: improper error handling allows remote attackers to gain full control over the communication content
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: luis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wp-cli 2.5.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-08 15:04:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969376, 1969377    
Bug Blocks:    

Description Marian Rehak 2021-06-08 10:14:00 UTC 
An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability to impersonate update servers and push malicious updates towards WordPress instances controlled by the vulnerable WP-CLI agent, or push malicious updates toward WP-CLI itself.

https://github.com/wp-cli/config-command/pull/128
https://github.com/wp-cli/core-command/pull/186
https://github.com/wp-cli/wp-cli/pull/5523
https://github.com/wp-cli/package-command/pull/138
https://github.com/wp-cli/extension-command/pull/287
https://github.com/wp-cli/checksum-command/pull/86
https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj
Comment 1 Marian Rehak 2021-06-08 10:14:28 UTC 
Created wp-cli tracking bugs for this issue:

Affects: epel-7 [bug 1969377]
Affects: fedora-all [bug 1969376]
Comment 2 Product Security DevOps Team 2021-06-08 15:04:00 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.