CVE-2020-25827

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.31.10 MediaWiki versions 1.32.x through 1.34.x before 1.34.4

Description The issue is related to insufficient restriction of authentication attempts in the OATHAuth extension for MediaWiki. This can be exploited by a remote attacker to bypass security restrictions using a brute force attack. For wikis using OATHAuth on a farm or cluster, such as via CentralAuth, rate limiting of OATH tokens is only done on a single site level, allowing multiple requests to be made across many wikis or sites concurrently.

Recommendations For MediaWiki versions prior to 1.31.10, update to version 1.31.10 or later. For MediaWiki versions 1.32.x through 1.34.x, update to version 1.34.4 or later. As a temporary workaround, consider implementing additional rate limiting measures for OATH tokens across all sites in a farm or cluster to minimize the risk of exploitation.