CVE-2017-8810Sensitive Information Exposure in Mediawiki

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 23.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MediawikiDebian MediawikiDebian Linux
Timeline
PublishedNov 15
Latest updateMay 17

Description

MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.27.4-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.27.4-1+3
NVDmediawiki/mediawiki1.27.3+5

Also affects: Debian Linux 9.0

Patches

Patch: lists.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-j76f-f4hg-c8qp: MediaWiki before 12022-05-17
OSV
CVE-2017-8810: MediaWiki before 12017-11-15

📋Vendor Advisories

1
Debian
CVE-2017-8810: mediawiki - MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a ...2017
CVE-2017-8810 — Sensitive Information Exposure | cvebase