CVE-2012-4381 — Hard-coded Credentials in Mediawiki

CWE-798 — Hard-coded Credentials7 documents5 sources

Severity

8.1HIGHNVD

EPSS

3.1%

top 13.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedFeb 8

Latest updateApr 23

Description

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/mediawiki< mediawiki 1:1.19.2-1 (bookworm)

▶NVDmediawiki/mediawiki1.19.0 — 1.19.2+1

▶Debianmediawiki/mediawiki< 1:1.19.2-1+3

▶CVEListV5mediawiki/mediawiki1.19.x before 1.19.2, before 1.18.5+1

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-794f-724h-wf37: MediaWiki before 1↗2022-04-23

▶

OSV

CVE-2012-4381: MediaWiki before 1↗2020-02-08

▶

📋Vendor Advisories

Debian

CVE-2012-4381: mediawiki - MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local d...↗2012

▶

💬Community

Bugzilla

CVE-2012-4377 CVE-2012-4378 CVE-2012-4379 CVE-2012-4380 CVE-2012-4381 mediawiki various flaws [fedora-all]↗2012-08-31

▶

Bugzilla

CVE-2012-4381 mediawiki: Password saved always to the local MediaWiki database and possibility to use old passwords for non-existing accounts in the external auth system↗2012-08-31

▶

Bugzilla

CVE-2012-4379 CVE-2012-4380 CVE-2012-4381 mediawiki various flaws [epel-5]↗2012-08-31

▶