CVE-2021-30159 Information

Description

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain ast double move\ situations. MovePage::isValidMoveTarget() uses FOR UPDATE but it’s only called if Title::getArticleID() returns non-zero with no special flags. Next MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore if the page is missing in the replica DB isValidMove() will return true and then moveToInternal() will unconditionally delete the page if it can be found in the master.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Reference

https://phabricator.wikimedia.org/T272386 https://www.debian.org/security/2021/dsa-4889 https://lists.fedoraproject.org/archives/list/[email protected]/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/ https://lists.fedoraproject.org/archives/list/[email protected]/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/ https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://security.gentoo.org/glsa/202107-40

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

4.3