CVE-2020-25827Improper Restriction of Excessive Authentication Attempts in Mediawiki

CWE-307Improper Restriction of Excessive Authentication Attempts6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 53.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
MediawikiMediawiki CoreDebian Mediawiki+1 more
Timeline
PublishedSep 27
Latest updateMay 24

Description

An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

Packagistmediawiki/core1.31.01.31.9+1
debiandebian/mediawiki< mediawiki 1:1.35.0-1 (bookworm)
NVDmediawiki/mediawiki1.32.01.34.4+1
Debianmediawiki/mediawiki< 1:1.35.0-1+3

Also affects: Fedora 33

🔴Vulnerability Details

3
OSV
OATHAuth extension in MediaWiki is not implementing rate limit2022-05-24
GHSA
OATHAuth extension in MediaWiki is not implementing rate limit2022-05-24
OSV
CVE-2020-25827: An issue was discovered in the OATHAuth extension in MediaWiki before 12020-09-27

📋Vendor Advisories

2
Red Hat
mediawiki: using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level2020-09-27
Debian
CVE-2020-25827: mediawiki - An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 an...2020
CVE-2020-25827 — Mediawiki vulnerability | cvebase