CVE-2021-30159
Description
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
How to fix CVE-2021-30159
To remediate CVE-2021-30159, upgrade the affected package to a fixed version below.
- —upgrade to 1.31.12 or later
- —upgrade to 1:1.35.2-1 or later
Is CVE-2021-30159 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.31.12, >= 1.32.0, < 1.35.2
- from 0, < 1:1.35.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
References (9)
- ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-30159
- WEBlists.debian.org/debian-lts-announce/2021/05/msg00003.html
- WEBlists.debian.org/debian-lts-announce/2021/05/msg00006.html
- WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/