{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-44857", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T04:32:13.362Z", "dateReserved": "2021-12-13T00:00:00.000Z", "datePublished": "2021-12-17T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-21T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://phabricator.wikimedia.org/T297322"}, {"url": "https://www.mediawiki.org/wiki/2021-12_security_release/FAQ"}, {"name": "GLSA-202305-24", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-24"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.362Z"}, "title": "CVE Program Container", "references": [{"url": "https://phabricator.wikimedia.org/T297322", "tags": ["x_transferred"]}, {"url": "https://www.mediawiki.org/wiki/2021-12_security_release/FAQ", "tags": ["x_transferred"]}, {"name": "GLSA-202305-24", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-24"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "99942EE7-37A1-42CD-B392-8ED9362430E2", "versionEndExcluding": "1.35.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "7377A8D6-3B2E-4FD6-820A-4CD632158111", "versionEndExcluding": "1.36.3", "versionStartIncluding": "1.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "5950CA7B-C437-4162-A8C5-5F31625145A8", "versionEndExcluding": "1.37.1", "versionStartIncluding": "1.37.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead."}, {"lang": "es", "value": "Se ha detectado un problema en MediaWiki versiones anteriores a 1.35.5, versiones 1.36.x anteriores a 1.36.3 y versiones 1.37.x anteriores a 1.37.1. Es posible usar action=mcrundo seguido de action=mcrrestore para reemplazar el contenido de cualquier p\u00e1gina arbitraria (para la que el usuario no tenga derechos de edici\u00f3n). Esto se aplica a cualquier wiki p\u00fablico, o a un wiki privado que tenga al menos una p\u00e1gina establecida en $wgWhitelistRead"}], "id": "CVE-2021-44857", "lastModified": "2024-11-21T06:31:37.170", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-17T04:15:39.137", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://phabricator.wikimedia.org/T297322"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202305-24"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mediawiki.org/wiki/2021-12_security_release/FAQ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://phabricator.wikimedia.org/T297322"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202305-24"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mediawiki.org/wiki/2021-12_security_release/FAQ"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mediawiki: information disclosure and manipulation possible under specific conditions", "id": "2036702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2036702"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-269", "details": ["An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.", "A flaw was found in mediawiki. The \"mcrundo\" and \"mcrrestore\" actions (action=mcrundo and action=mcrrestore) did not properly check for editing permissions and allowed an attacker to take the content of any arbitrary revision and save it on any page of their choosing. This affects both public wikis and public pages on private wikis."], "name": "CVE-2021-44857", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "mediawiki", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "mediawiki", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-12-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-44857\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44857"], "statement": "The mediawiki package was removed from OpenShift Container Platform (OCP) in version 4.3, therefore for OCP 4 has been marked as out of support scope.", "threat_severity": "Moderate"}

{}