GHSA-rmcp-9fhq-58pv

Source

https://github.com/advisories/GHSA-rmcp-9fhq-58pv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rmcp-9fhq-58pv/GHSA-rmcp-9fhq-58pv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rmcp-9fhq-58pv

Aliases

CVE-2024-47913

Published

2024-10-05T00:34:19Z

Modified

2024-12-06T22:27:14.714040Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Improper permissions handling in MediaWiki AbuseFilter

Details

An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.

Database specific

{
    "nvd_published_at": "2024-10-04T22:15:02Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2024-12-06T22:11:48Z",
    "github_reviewed": true
}

References

Affected packages

Packagist / mediawiki/abuse-filter

Package

Name: mediawiki/abuse-filter
Purl: pkg:composer/mediawiki/abuse-filter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.39.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rmcp-9fhq-58pv/GHSA-rmcp-9fhq-58pv.json"

Packagist / mediawiki/abuse-filter

Package

Name: mediawiki/abuse-filter
Purl: pkg:composer/mediawiki/abuse-filter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.40.0

Fixed

1.41.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rmcp-9fhq-58pv/GHSA-rmcp-9fhq-58pv.json"

Packagist / mediawiki/abuse-filter

Package

Name: mediawiki/abuse-filter
Purl: pkg:composer/mediawiki/abuse-filter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.42.0

Fixed

1.42.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-rmcp-9fhq-58pv/GHSA-rmcp-9fhq-58pv.json"