CVE-2015-2937Mediawiki vulnerability

CWE-3998 documents4 sources
Severity
7.1HIGHNVD
EPSS
2.0%
top 16.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedApr 13
Latest updateMay 17

Description

MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, a different vulnerability than CVE-2015-2942.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.20+dfsg-2.3 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.20+dfsg-2.3+3
NVDmediawiki/mediawiki1.19.23+48

Patches

Patch: lists.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

4
GHSA
GHSA-g2xw-jrgp-4j4f: MediaWiki before 12022-05-17
GHSA
GHSA-mmcv-w5m4-3p9m: MediaWiki before 12022-05-17
OSV
CVE-2015-2942: MediaWiki before 12015-04-13
OSV
CVE-2015-2937: MediaWiki before 12015-04-13

📋Vendor Advisories

2
Debian
CVE-2015-2937: mediawiki - MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when usi...2015
Debian
CVE-2015-2942: mediawiki - MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when usi...2015
CVE-2015-2937 — Debian Mediawiki vulnerability | cvebase