Vulnerability CVE-2021-35197: Information

Description

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-35197
Published: July 2, 2021
Modified: Nov. 7, 2023
Error type identifier: CWE-863

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
mediawikisisyphus1.36.1-alt11.40.1-alt2ALT-PU-2021-2064-1275705Fixed
mediawikip101.36.1-alt11.40.1-alt2ALT-PU-2021-2064-1275705Fixed
mediawikip91.36.1-alt11.36.1-alt1ALT-PU-2021-2091-1274917Fixed
mediawikic10f11.36.1-alt11.37.2-alt1ALT-PU-2021-2064-1275705Fixed
mediawikip111.36.1-alt11.40.1-alt2ALT-PU-2021-2064-1275705Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://phabricator.wikimedia.org/T280226
  • Exploit
  • Vendor Advisory
GLSA-202107-40
  • Third Party Advisory
DSA-4979
  • Third Party Advisory
[debian-lts-announce] 20211009 [SECURITY] [DLA 2779-1] mediawiki security update
  • Mailing List
  • Third Party Advisory
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/
    FEDORA-2021-eee8b7514f
      FEDORA-2021-56d8173b5e
        FEDORA-2021-3dd1b66cbf

            1. Configuration 1

              cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
              Start including
              1.36.0
              End excliding
              1.36.1
              cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
              Start including
              1.32.0
              End excliding
              1.35.3
              cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
              End excliding
              1.31.15

              Configuration 2

              cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
              cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
              cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

              Configuration 3

              cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
              cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
              cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
          VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
          Version: v24.5.3
          Back to top