CVE-2016-6337 — Improper Access Control in Mediawiki

CWE-284 — Improper Access Control5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 43.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedApr 20

Latest updateMay 17

Description

MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.27.1-1 (bookworm)

▶Debianmediawiki/mediawiki< 1:1.27.1-1+3

▶NVDmediawiki/mediawiki1.27.0

Patches

Patch: lists.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-3c2m-8jfj-576j: MediaWiki 1↗2022-05-17

▶

OSV

CVE-2016-6337: MediaWiki 1↗2017-04-20

▶

📋Vendor Advisories

Debian

CVE-2016-6337: mediawiki - MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended s...↗2016

▶

💬Community

Bugzilla

CVE-2016-6337 mediawiki: Bypassing access restrictions↗2017-04-21

▶