CVE-2021-32722

GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing and a lack of an appropriate index. As a workaround, one may avoid use of the extension unless additional rate limit at the MediaWiki level or via PoolCounter / MySQL is enabled. A patch is available in version 48be7adb70568e20e961ea1cb70904454a671b1d.

Recent assessments:

RhinosF1 at June 28, 2021 8:19pm UTC reported:

Impact is very dependant on your system. No measures were in place on the software level to control resources via processing of activity in the background or was performance taken into consideration so the larger the extension’s database the easier for it to fall over. The extension should be updating things in the background as the information it makes available is not instantly required and job runners are less likely to overwhelm the database due to their nature.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4