CVE-2011-4898

NameCVE-2011-4898
Description** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)wheezy3.6.1+dfsg-1~deb7u10vulnerable
wheezy (security)3.6.1+dfsg-1~deb7u20vulnerable
jessie (security), jessie4.1+dfsg-1+deb8u15vulnerable
stretch (security), stretch4.7.5+dfsg-2+deb9u1vulnerable
buster, sid4.9.1+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)(unfixed)unimportant

Notes

https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt

Search for package or bug name: Reporting problems