Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-35197

Опубликовано: 22 июн. 2021
Источник: redhat
CVSS3: 7.5

Описание

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

An improper authorization vulnerability was found in mediawiki. Mediawiki bots may have unintended API access even when a sitewide block has been applied. An attacker can use this vulnerability to potentially utilize a bot to access the mediawiki API and conduct actions like purge pages.

Отчет

The mediawiki component was removed from OpenShift Container Platform (OCP) in version 4.3 onward. Therefore the OCP 4 component has been set as out of support scope (OOSS). Additionally, OCP 3.11 is in maintenance support for low and moderate impact vulnerabilities, hence the OCP 3.11 mediawiki component has also been set OOSS.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11mediawikiOut of support scope
Red Hat OpenShift Container Platform 4mediawikiOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-306
https://bugzilla.redhat.com/show_bug.cgi?id=1980308mediawiki: blocked users are able to purge pages impacting Integrity

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-35197

CVSS3: 7.5
ubuntu
больше 4 лет назад

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

nvd логотип

CVE-2021-35197

CVSS3: 7.5
nvd
больше 4 лет назад

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

debian логотип

CVE-2021-35197

CVSS3: 7.5
debian
больше 4 лет назад

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and ...

github логотип

GHSA-8hhg-q8jv-q9c7

CVSS3: 7.5
github
больше 3 лет назад

In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).

fstec логотип

BDU:2022-01787

CVSS3: 7.5
fstec
больше 4 лет назад

Уязвимость программного средства для реализации гипертекстовой среды MediaWiki, позволяющая нарушителю оказать воздействие на целостность данных

7.5 High

CVSS3