CVE-2021-30159 Information
Share on:Description
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain ast double move\ situations. MovePage::isValidMoveTarget() uses FOR UPDATE but it’s only called if Title::getArticleID() returns non-zero with no special flags. Next MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore if the page is missing in the replica DB isValidMove() will return true and then moveToInternal() will unconditionally delete the page if it can be found in the master.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Reference
https://phabricator.wikimedia.org/T272386 https://www.debian.org/security/2021/dsa-4889 https://lists.fedoraproject.org/archives/list/[email protected]/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/ https://lists.fedoraproject.org/archives/list/[email protected]/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/ https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html https://security.gentoo.org/glsa/202107-40
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
4.3