vulnerability
MediaWiki: Incorrect Authorization (CVE-2021-35197)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Jul 2, 2021 | Jul 9, 2021 | Nov 26, 2024 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Jul 2, 2021
Added
Jul 9, 2021
Modified
Nov 26, 2024
Description
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Solutions
mediawiki-upgrade-1_31_15mediawiki-upgrade-1_35_3mediawiki-upgrade-1_36_1
References
- CVE-2021-35197
- https://attackerkb.com/topics/CVE-2021-35197
- URL-https://lists.debian.org/debian-lts-announce/2021/10/msg00003.html
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- URL-https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/
- URL-https://phabricator.wikimedia.org/T280226
- URL-https://security.gentoo.org/glsa/202107-40
- URL-https://www.debian.org/security/2021/dsa-4979
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.