PT-2014-4579 · Wikimedia+1 · Mediawiki+1
Published
2014-03-02
·
Updated
2014-03-14
·
CVE-2014-2243
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.19.12
MediaWiki versions 1.20.x
MediaWiki versions 1.21.x prior to 1.21.6
MediaWiki versions 1.22.x prior to 1.22.3
Description
The issue makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses, due to the termination of validation of a user token upon encountering the first incorrect character in the includes/User.php file.
Recommendations
For MediaWiki versions prior to 1.19.12, update to version 1.19.12 or later.
For MediaWiki versions 1.20.x, update to a version outside of the 1.20.x range, such as 1.19.12 or 1.21.6 or later.
For MediaWiki versions 1.21.x prior to 1.21.6, update to version 1.21.6 or later.
For MediaWiki versions 1.22.x prior to 1.22.3, update to version 1.22.3 or later.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki