CVE-2021-30159

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-30159

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-30159.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-30159

Aliases

BIT-mediawiki-2021-30159

Related

Published

2021-04-09T07:15:16Z

Modified

2024-09-11T04:52:20.095956Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

References

Affected packages

Debian:11 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/wikimedia/mediawiki

Affected ranges

Type: GIT
Repo: https://github.com/wikimedia/mediawiki
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ef13e11da4bcab62a8cc6f5459cd094e6881f326

Affected versions

1.*

1.1.0

1.3.0beta1

1.31.0

1.31.0-rc.0

1.31.0-rc.1

1.31.0-rc.2

1.31.1

1.31.10

1.31.11

1.31.2

1.31.3

1.31.4

1.31.5

1.31.6

1.31.7

1.31.8

1.31.9

1.5.0alpha1

1.5.0alpha2

1.5.0beta1

1.5.0beta2

1.5.0beta3

1.5.0beta4

1.6.0