CVE-2021-35197 — Incorrect Authorization in Mediawiki

CWE-863 — Incorrect Authorization CWE-668 — Resource Exposure CWE-306 — Missing Authentication for Critical Function5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 27.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki Debian Linux +1 more

Timeline

PublishedJul 2

Latest updateMay 24

Description

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.35.3-1 (bookworm)

▶NVDmediawiki/mediawiki1.32.0 — 1.35.3+2

▶Debianmediawiki/mediawiki< 1:1.35.4-1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

🔴Vulnerability Details

GHSA

GHSA-8hhg-q8jv-q9c7: In MediaWiki before 1↗2022-05-24

▶

OSV

CVE-2021-35197: In MediaWiki before 1↗2021-07-02

▶

📋Vendor Advisories

Red Hat

mediawiki: blocked users are able to purge pages impacting Integrity↗2021-06-22

▶

Debian

CVE-2021-35197: mediawiki - In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x bef...↗2021

▶