Fluid Attacks Database

Description

OATHAuth extension in MediaWiki is not implementing rate limit An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	mediawiki/core	>=1.31.0 <1.31.9 \|\| >=1.32.0 <1.34.3	1.31.9, 1.34.3
debian 12	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
debian 11	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
debian 13	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1
debian 14	mediawiki	>=0 <1:1.35.0-1	1:1.35.0-1

Aliases

1. CVE-2020-258272. NVD-2020-258273. OSV-2020-258274. OSV-DEBIAN-2020-258275. GCVE-2020-258276. SECURITY-TRACKER-CVE-2020-25827

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25827.yaml2. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU63. https://lists.fedoraproject.org/archives/list/[email protected]/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU64. https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html5. https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html6. https://phabricator.wikimedia.org/T251661