MediaWiki < 1.37.3 Multiple Vulnerabilities

medium Web App Scanning Plugin ID 113996

Language:

Synopsis

MediaWiki < 1.37.3 Multiple Vulnerabilities

Description

According to its self-reported version number, the instance of MediaWiki hosted on the remote web server is prior to 1.37.3. It is, therefore, affected by multiple vulnerabilities as follows:

- The AbuseFilter extension improperly handles account blocks for certain automatically created MediaWiki user accounts, thus enabling malicious users to remain unblocked.

- The AbuseFilter extension improperly executed rules related to blocking accounts after account creation, thus blocking only the original IP used to create an account and not the account itself.

- The AbuseFilter extension improperly executed blocking rules, thus permitting user accounts who were partially or fully blocked to complete edits.

- The AbuseFilter CheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.

- The AbuseFilter extension incorrectly logged sensitive supression deletions which is visible to users with access to view AbuseFilter log data.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to MediaWiki version 1.37.3 or later.

See Also

https://phabricator.wikimedia.org/T152394

https://phabricator.wikimedia.org/T272244

https://phabricator.wikimedia.org/T272333

https://phabricator.wikimedia.org/T71617

Plugin Details

Severity: Medium

ID: 113996

Type: remote

Family: Component Vulnerability

Published: 8/7/2023

Updated: 8/9/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2021-31552

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: CVE-2021-31548

Vulnerability Information

CPE: cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Patch Publication Date: 6/21/2021

Vulnerability Publication Date: 4/9/2021

Reference Information

CVE: CVE-2021-31546, CVE-2021-31547, CVE-2021-31548, CVE-2021-31552, CVE-2021-31554

CWE: 200, 532, 863

OWASP: 2010-A6, 2010-A8, 2013-A5, 2013-A7, 2013-A9, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A4, 2021-A6

WASC: Application Misconfiguration, Information Leakage, Insufficient Authorization

CAPEC: 116, 13, 169, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 37, 472, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460, APSC-DV-002480, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-8.2.1, 4.0.2-8.3.4

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5.8