Jetpack alerting on security vuln

ianhyzy

Jetpack is warning me about this - do I need to worry about it? I moved from a different host (back) to cloudron and don't recall seeing this before

girish

That's quite an abstract threat message Can't say I understand it. @ianhyzy Can you post the link in the screenshot? (The technical details link)

ianhyzy

@girish yup, here you go https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11

girish

@ianhyzy I think that link is saying that there is no known fix. https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/ says similar. Looks like quite a recent report.

jdaviescoates

@girish said in Jetpack alerting on security vuln:

@ianhyzy I think that link is saying that there is no known fix. https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/ says similar. Looks like quite a recent report.

also seems to say this issue by itself isn't much to worry about

We couldn't generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services.

and

We've audited the code in the hope of finding parser differential bugs that would allow reaching unintended ports or performing POST requests without success: the initial URL validation steps are restrictive enough to prevent their exploitation. As mentioned earlier, attackers would have to chain this behavior with another vulnerability to impact the targeted organization's security significantly.

ianhyzy

thanks, should have read that more clearly - will just ignore it!

ccfu

@ianhyzy
Update to 6.2 and that message should go away. Other control panels reported this as well but WP saw no need to act on it as there was no likely risk of it being exploited.