CVE-2019-12472 — Improper Access Control in Mediawiki

CWE-284 — Improper Access Control5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 64.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Mediawiki Core Debian Mediawiki

Timeline

PublishedJul 10

Latest updateMay 24

Description

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Packagistmediawiki/core1.18.0 — 1.27.6+3

▶debiandebian/mediawiki< mediawiki 1:1.31.2-1 (bookworm)

▶NVDmediawiki/mediawiki1.18.0 — 1.27.6+3

▶Debianmediawiki/mediawiki< 1:1.31.2-1+3

Patches

Patch: lists.wikimedia.org ↗Patch: lists.wikimedia.org ↗

🔴Vulnerability Details

OSV

MediaWiki Incorrect Access Control vulnerability↗2022-05-24

▶

GHSA

MediaWiki Incorrect Access Control vulnerability↗2022-05-24

▶

OSV

CVE-2019-12472: An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1↗2019-07-10

▶

📋Vendor Advisories

Debian

CVE-2019-12472: mediawiki - An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18....↗2019

▶