Incorrect permission assignment for critical resource in MediaWiki

#VU54647 Incorrect permission assignment for critical resource in MediaWiki

Published: 2021-07-09

Vulnerability identifier: #VU54647

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-36129

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MediaWiki
Web applications / CMS

Vendor: MediaWiki.org

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists in the Translate extension due to the Aggregategroups Action API module does not validate the parameter for aggregategroup when action=remove is set. A remote authenticated attacker can delete various groups' metadata.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MediaWiki: 1.36.0, 1.31.0 - 1.31.14, 1.35.0 - 1.35.2

External links
http://phabricator.wikimedia.org/T282932
http://gerrit.wikimedia.org/r/q/I3619a7e88c2eb979babb7b027d4fdbfabc0af792

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MediaWiki