PT-2023-8952 · Mediawiki+2 · Mediawiki+2

Xiplus

·

Publicado

2023-10-08

·

Atualizado

2024-10-15

·

CVE-2023-45363

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.35.12 MediaWiki versions 1.36.x through 1.39.x before 1.39.5 MediaWiki versions 1.40.x before 1.40.1
Description The issue in ApiPageSet.php allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set. This can be exploited by remote attackers.
Recommendations For MediaWiki versions prior to 1.35.12, update to version 1.35.12 or later. For MediaWiki versions 1.36.x through 1.39.x, update to version 1.39.5 or later. For MediaWiki versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the ApiPageSet.php file until a patch is available. Avoid querying pages with redirects and converttitles set until the issue is resolved.

Exploit

Correção

DoS

Infinite Loop

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-835

Identificadores relacionados

ALT-PU-2023-6419
ALT-PU-2024-11168
ALT-PU-2024-1228
BDU:2024-02754
BIT-MEDIAWIKI-2023-45363
CVE-2023-45363
DLA-3671-1
DSA-5520-1
GHSA-W5FX-CX7F-6VR9
MGASA-2024-0155

Produtos afetados

Alt Linux
Mediawiki
Red Os