Incorrect Permission Assignment for Critical Resource

CVE-2023-45364

Medium

5.3/10

Summary

An issue was discovered in mediawiki/core versions 1.36.0-rc.0 through 1.39.4, and 1.40.0-rc.0 through 1.40.0. Deleted revision existence is leaked due to incorrect permissions being checked. This reveals that a given "revision ID" belonged to the given "page title", and its "timestamp", both of which are not supposed to be public information.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

Advisory
Issue

Advisory Timeline

Published Oct 09, 2023

Incorrect Permission Assignment for Critical Resource

CVE-2023-45364

Summary

CWE-732 - Incorrect Permission Assignment for Critical Resource

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS