Vulnerability CVE-2021-35197: Information
Description
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
mediawiki | sisyphus | 1.36.1-alt1 | 1.40.1-alt2 | ALT-PU-2021-2064-1 | 275705 | Fixed |
mediawiki | p10 | 1.36.1-alt1 | 1.40.1-alt2 | ALT-PU-2021-2064-1 | 275705 | Fixed |
mediawiki | p9 | 1.36.1-alt1 | 1.36.1-alt1 | ALT-PU-2021-2091-1 | 274917 | Fixed |
mediawiki | c10f1 | 1.36.1-alt1 | 1.37.2-alt1 | ALT-PU-2021-2064-1 | 275705 | Fixed |
mediawiki | p11 | 1.36.1-alt1 | 1.40.1-alt2 | ALT-PU-2021-2064-1 | 275705 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://phabricator.wikimedia.org/T280226 |
|
GLSA-202107-40 |
|
DSA-4979 |
|
[debian-lts-announce] 20211009 [SECURITY] [DLA 2779-1] mediawiki security update |
|
https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/ | |
FEDORA-2021-eee8b7514f | |
FEDORA-2021-56d8173b5e | |
FEDORA-2021-3dd1b66cbf |