CVE-2021-30159

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.31.0 through 1.31.11 MediaWiki versions 1.32.x through 1.35.1

Description An issue in MediaWiki allows users to bypass intended restrictions on deleting pages in certain "fast double move" situations. The MovePage::isValidMoveTarget() function uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. This is related to insufficient access control in the MovePage::isValidMoveTarget(), Title::getArticleID(), and MovePage::moveToInternal() functions.

Recommendations For MediaWiki versions 1.31.0 through 1.31.11, update to version 1.31.12 or later. For MediaWiki versions 1.32.x through 1.35.1, update to version 1.35.2 or later. As a temporary workaround, consider restricting access to the MovePage::moveToInternal() function until a patch is available. Avoid using the Title::getArticleID() function with no special flags in the affected API endpoints until the issue is resolved.