vulnerability
MediaWiki: Incorrect Permission Assignment for Critical Resource (CVE-2022-47927)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:C/I:N/A:N) | Jan 12, 2023 | Jan 23, 2023 | Jan 28, 2025 |
Severity
5
CVSS
(AV:L/AC:L/Au:S/C:C/I:N/A:N)
Published
Jan 12, 2023
Added
Jan 23, 2023
Modified
Jan 28, 2025
Description
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.
Solution(s)
mediawiki-upgrade-1_35_9mediawiki-upgrade-1_38_5
References
- CVE-2022-47927
- https://attackerkb.com/topics/CVE-2022-47927
- URL-https://lists.debian.org/debian-lts-announce/2023/07/msg00011.html
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
- URL-https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
- URL-https://phabricator.wikimedia.org/T322637
- URL-https://security.gentoo.org/glsa/202305-24
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.