Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-44857

Опубликовано: 16 дек. 2021
Источник: redhat
CVSS3: 6.5

Описание

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

A flaw was found in mediawiki. The "mcrundo" and "mcrrestore" actions (action=mcrundo and action=mcrrestore) did not properly check for editing permissions and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.

Отчет

The mediawiki package was removed from OpenShift Container Platform (OCP) in version 4.3, therefore for OCP 4 has been marked as out of support scope.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11mediawikiOut of support scope
Red Hat OpenShift Container Platform 4mediawikiOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-269
https://bugzilla.redhat.com/show_bug.cgi?id=2036702mediawiki: information disclosure and manipulation possible under specific conditions

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-44857

CVSS3: 6.5
ubuntu
около 4 лет назад

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

nvd логотип

CVE-2021-44857

CVSS3: 6.5
nvd
около 4 лет назад

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

debian логотип

CVE-2021-44857

CVSS3: 6.5
debian
около 4 лет назад

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...

github логотип

GHSA-x4wg-g4fv-f8m6

CVSS3: 6.5
github
около 4 лет назад

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

6.5 Medium

CVSS3