Skip to main content

Authentication Bypass Using an Alternate Path or Channel

CVE-2021-30159

Severity Medium
Score 4.3/10

Summary

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. "MovePage::isValidMoveTarget()" uses FOR UPDATE, but it's only called if "Title::getArticleID()" returns non-zero with no special flags. Next, "MovePage::moveToInternal()" will delete the page if "getArticleID(READ_LATEST)" is non-zero. Therefore, if the page is missing in the replica DB, "isValidMove()" will return true, and then "moveToInternal()" will unconditionally delete the page if it can be found in the master.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • NONE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Advisory Timeline

  • Published