Main Vulnerability Database Vulnerabilities #VU40603

Improper access control in MediaWiki - CVE-2015-8001

Published: November 9, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40603

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2015-8001

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote #AU# to perform service disruption.

The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size.

How to mitigate CVE-2015-8001

Install update from vendor's website.

Sources

http://www.securitytracker.com/id/1034028
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html
https://phabricator.wikimedia.org/T91203

Improper access control in MediaWiki - CVE-2015-8001

Detailed vulnerability description

How to mitigate CVE-2015-8001

Sources

Please verify you're human