PT-2023-8951 · Mediawiki+2 · Mediawiki Checkuser Extension+2

Dom_Walden

·

Published

2023-10-08

·

Updated

2024-08-20

·

CVE-2023-45367

CVSS v2.0

6.8

Medium

VectorAV:N/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions MediaWiki CheckUser extension versions 1.35.12 and earlier, versions 1.36.x through 1.39.x before 1.39.5, and versions 1.40.x before 1.40.1
Description An issue was discovered in the CheckUser extension for MediaWiki. A user can use a "rest.php/checkuser/v0/useragent-clienthints/revision/" URL to store an arbitrary number of rows in cu useragent clienthints, leading to a denial of service. The exploitation of this issue may allow a remote attacker to cause a denial of service.
Recommendations For MediaWiki CheckUser extension versions 1.35.12 and earlier, update to version 1.35.12 or later. For MediaWiki CheckUser extension versions 1.36.x through 1.39.x before 1.39.5, update to version 1.39.5 or later. For MediaWiki CheckUser extension versions 1.40.x before 1.40.1, update to version 1.40.1 or later. As a temporary workaround, consider restricting access to the "rest.php/checkuser/v0/useragent-clienthints/revision/" URL to minimize the risk of exploitation.

Exploit

Fix

Improper Resource Release

Weakness Enumeration

CWE-404

Related Identifiers

ALT-PU-2023-6419
ALT-PU-2024-11168
ALT-PU-2024-1228
BDU:2024-02753
BIT-MEDIAWIKI-2023-45367
CVE-2023-45367

Affected Products

Alt Linux
Mediawiki Checkuser Extension
Red Os