CVE-2022-47927 — mediawiki - security update

Description

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data.

How to fix CVE-2022-47927

To remediate CVE-2022-47927, upgrade the affected package to a fixed version below.

—upgrade to 1.35.9 or later
—upgrade to 1:1.35.11-1~deb11u1 or later
—upgrade to 1:1.31.16-1+deb10u5 or later

Is CVE-2022-47927 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.35.9, >= 1.36.0, < 1.38.5, >= 1.39.0, < 1.39.1
from 0, < 1:1.35.11-1~deb11u1
from 0, < 1:1.31.16-1+deb10u5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (7)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-47927
WEBlists.debian.org/debian-lts-announce/2023/07/msg00011.html
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/
WEB