Improper Authentication Affecting mediawiki package, versions <1:1.31.14-1~deb10u1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-MEDIAWIKI-1243879
- published 7 Apr 2021
- disclosed 6 Apr 2021
Introduced: 6 Apr 2021
CVE-2021-30158 Open this link in a new tabHow to fix?
Upgrade Debian:10 mediawiki to version 1:1.31.14-1~deb10u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream mediawiki package and not the mediawiki package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.
References
- https://security-tracker.debian.org/tracker/CVE-2021-30158
- https://www.debian.org/security/2021/dsa-4889
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
- https://phabricator.wikimedia.org/T277009
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
- https://security.gentoo.org/glsa/202107-40
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/