CVE-2020-25827 – mediawiki/core

Package

Manager: composer
Name: mediawiki/core
Vulnerable Version: >=1.31.0 <1.31.9 || >=1.32.0 <1.34.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00246 pctl0.47744

Details

OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

Metadata

Created: 2022-05-24T17:29:42Z
Modified: 2024-05-17T21:56:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rqvj-fc2x-99q6/GHSA-rqvj-fc2x-99q6.json
CWE IDs: ["CWE-307"]
Alternative ID: GHSA-rqvj-fc2x-99q6
Finding: F053
Auto approve: 1