vulnerability
MediaWiki: CVE-2021-30159: Vulnerability in MediaWiki
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Apr 9, 2021 | Apr 21, 2021 | May 6, 2026 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Apr 9, 2021
Added
Apr 21, 2021
Modified
May 6, 2026
Description
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
Solution
mediawiki-upgrade-latest
References
- CVE-2021-30159
- https://attackerkb.com/topics/CVE-2021-30159
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
- https://phabricator.wikimedia.org/T272386
- https://security.gentoo.org/glsa/202107-40
- https://www.debian.org/security/2021/dsa-4889
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-17095
- EUVD-EUVD-2021-17095
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.