1948638 – (CVE-2021-30159) CVE-2021-30159 mediawiki: users can bypass intended restrictions on deleting pages in certain "fast double move" situations

Bug 1948638 (CVE-2021-30159) - CVE-2021-30159 mediawiki: users can bypass intended restrictions on deleting pages in certain "fast double move" situations

Summary: CVE-2021-30159 mediawiki: users can bypass intended restrictions on deleting ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-30159
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1947340 1948639
Blocks:	1948646
TreeView+	depends on / blocked

Reported:	2021-04-12 16:34 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-10-28 08:50 UTC (History)
CC List:	11 users (show)
Fixed In Version:	mediawiki 1.31.12, mediawiki 1.35.2
Doc Type:	If docs needed, set a value
Doc Text:	In the mediawiki package, users can bypass intended restrictions on deleting pages in certain "fast double move" situations.
Clone Of:
Environment:
Last Closed:	2021-10-28 08:50:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-12 16:34:48 UTC

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

Reference:
https://phabricator.wikimedia.org/T272386

Comment 1 Guilherme de Almeida Suckevicz 2021-04-12 16:35:15 UTC

Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1948639]

Comment 2 Przemyslaw Roguski 2021-04-13 10:35:18 UTC

Statement:

The mediawiki package was removed from OpenShift Container Platform (OCP) in version 4.3, therefore for OCP 4 has been marked as out of support scope.

Note You need to log in before you can comment on or make changes to this bug.