CVE-2021-30158Improper Authentication in Mediawiki

CWE-287Improper Authentication5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.6%
top 30.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
MediawikiDebian MediawikiDebian Linux+1 more
Timeline
PublishedApr 6
Latest updateMay 24

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.35.2-1 (bookworm)
NVDmediawiki/mediawiki1.32.01.35.2+1
Debianmediawiki/mediawiki< 1:1.35.2-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34

Patches

Patch: phabricator.wikimedia.orgPatch: phabricator.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-c7v8-6m32-34m3: An issue was discovered in MediaWiki before 12022-05-24
OSV
CVE-2021-30158: An issue was discovered in MediaWiki before 12021-04-06

📋Vendor Advisories

2
Red Hat
mediawiki: blocked users are unable to use Special:ResetTokens2021-03-19
Debian
CVE-2021-30158: mediawiki - An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x be...2021
CVE-2021-30158 — Improper Authentication in Mediawiki | cvebase