CVE-2021-31552
Vulnerability from cvelistv5
Published
2021-04-22 02:29
Modified
2024-08-03 23:03
Severity ?
EPSS score ?
Summary
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1 | Issue Tracking, Vendor Advisory | |
cve@mitre.org | https://phabricator.wikimedia.org/T152394 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1 | Issue Tracking, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://phabricator.wikimedia.org/T152394 | Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:03:33.164Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://phabricator.wikimedia.org/T152394" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-04-22T02:29:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://phabricator.wikimedia.org/T152394" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31552", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://phabricator.wikimedia.org/T152394", "refsource": "MISC", "url": "https://phabricator.wikimedia.org/T152394" }, { "name": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1", "refsource": "MISC", "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31552", "datePublished": "2021-04-22T02:29:41", "dateReserved": "2021-04-22T00:00:00", "dateUpdated": "2024-08-03T23:03:33.164Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-31552\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-04-22T03:15:08.163\",\"lastModified\":\"2024-11-21T06:05:53.970\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 un problema en la extensi\u00f3n AbuseFilter para MediaWiki versiones hasta 1.35.2.\u0026#xa0;Ejecut\u00f3 inapropiadamente determinadas reglas relacionadas con el bloqueo de cuentas despu\u00e9s de la creaci\u00f3n de la cuenta.\u0026#xa0;Dichas reglas permitir\u00edan crear cuentas de usuario mientras se bloquea solo la direcci\u00f3n IP usada para crear una cuenta (y no la cuenta de usuario en s\u00ed).\u0026#xa0;Estas reglas tambi\u00e9n podr\u00edan ser usadas por un usuario infame y sin privilegios para catalogar y enumerar cualquier n\u00famero de direcciones IP relacionadas con estas creaciones de cuentas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.35.2\",\"matchCriteriaId\":\"4067807D-769C-485F-A7E3-EE96885BDCE7\"}]}]}],\"references\":[{\"url\":\"https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://phabricator.wikimedia.org/T152394\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://phabricator.wikimedia.org/T152394\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.