CVE-2021-41801 — Incorrect Authorization in Mediawiki

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedOct 11

Latest updateMay 24

Description

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (due to the job queue backlog)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.35.4-1 (bookworm)

▶NVDmediawiki/mediawiki1.35.0 — 1.35.4+2

▶Debianmediawiki/mediawiki< 1:1.35.4-1~deb11u1+3

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

GHSA

GHSA-rggw-5h76-8v9h: The ReplaceText extension through 1↗2022-05-24

▶

OSV

CVE-2021-41801: The ReplaceText extension through 1↗2021-10-11

▶

📋Vendor Advisories

Debian

CVE-2021-41801: mediawiki - The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Contro...↗2021

▶