Vulnerability Description
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | <= 1.35.2 |
Related Weaknesses (CWE)
References
- https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1Issue TrackingVendor Advisory
- https://phabricator.wikimedia.org/T152394Third Party Advisory
- https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1Issue TrackingVendor Advisory
- https://phabricator.wikimedia.org/T152394Third Party Advisory
FAQ
What is CVE-2021-31552?
CVE-2021-31552 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for...
How severe is CVE-2021-31552?
CVE-2021-31552 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31552?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.