GHSA-rqvj-fc2x-99q6

Suggest an improvement
Source
https://github.com/advisories/GHSA-rqvj-fc2x-99q6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqvj-fc2x-99q6/GHSA-rqvj-fc2x-99q6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rqvj-fc2x-99q6
Aliases
Published
2022-05-24T17:29:42Z
Modified
2024-05-17T22:11:44.203027Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
OATHAuth extension in MediaWiki is not implementing rate limit
Details

An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

Database specific
{
    "nvd_published_at": "2020-09-27T21:15:00Z",
    "cwe_ids": [
        "CWE-307"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-17T21:56:33Z"
}
References

Affected packages

Packagist / mediawiki/core

Package

Name
mediawiki/core
Purl
pkg:composer/mediawiki/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.31.0
Fixed
1.31.9

Affected versions

1.*

1.31.0
1.31.1
1.31.2
1.31.3
1.31.4
1.31.5
1.31.6
1.31.7
1.31.8

Packagist / mediawiki/core

Package

Name
mediawiki/core
Purl
pkg:composer/mediawiki/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.32.0
Fixed
1.34.3

Affected versions

1.*

1.32.0
1.32.1
1.32.2
1.32.3
1.32.4
1.32.5
1.32.6
1.33.0-rc.0
1.33.0
1.33.1
1.33.2
1.33.3
1.33.4
1.34.0-rc.0
1.34.0-rc.1
1.34.0
1.34.1
1.34.2