Bug 2036702 (CVE-2021-44857)
| Summary: | CVE-2021-44857 mediawiki: information disclosure and manipulation possible under specific conditions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, Axel.Thimm, bmontgom, eparis, jburrell, jokerman, mike, nstielau, puiterwijk, shurley, sponnaga |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mediawiki 1.35.5, mediawiki 1.36.3, mediawiki 1.37.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in mediawiki. The "mcrundo" and "mcrrestore" actions (action=mcrundo and action=mcrrestore) did not properly check for editing permissions and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-07 16:40:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2036703 | ||
| Bug Blocks: | 2036706 | ||
|
Description
Marian Rehak
2022-01-03 15:54:00 UTC
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 2036703] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44857 |