vulnerability
MediaWiki: Improper Restriction of Excessive Authentication Attempts (CVE-2020-25827)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Sep 27, 2020 | Oct 8, 2020 | Nov 8, 2023 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Sep 27, 2020
Added
Oct 8, 2020
Modified
Nov 8, 2023
Description
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
Solution(s)
mediawiki-upgrade-1_31_10mediawiki-upgrade-1_34_4
References
- CVE-2020-25827
- https://attackerkb.com/topics/CVE-2020-25827
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6/
- URL-https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
- URL-https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
- URL-https://phabricator.wikimedia.org/T251661
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.