CVE-2021-31556 — Improper Validation of Specified Quantity in Input in Mediawiki

CWE-1284 — Improper Validation of Specified Quantity in Input CWE-20 — Improper Input Validation CWE-327 — Use of a Broken or Risky Cryptographic Algorithm3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 28.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Fedoraproject Fedora

Timeline

PublishedAug 12

Latest updateMay 24

Description

An issue was discovered in the Oauth extension for MediaWiki through 1.35.2. MWOAuthConsumerSubmitControl.php does not ensure that the length of an RSA key will fit in a MySQL blob.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDmediawiki/mediawiki1.35.2

Also affects: Fedora 33, 34, 35

Patches

Patch: gerrit.wikimedia.org ↗Patch: gerrit.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-qm9m-9cq9-7p3v: An issue was discovered in the Oauth extension for MediaWiki through 1↗2022-05-24

▶

📋Vendor Advisories

Red Hat

mediawiki: OAuth extension doesn't validate length of RSA key↗2021-08-13

▶