Lucene search

GitHub_MCVELIST:CVE-2021-32722

HistoryJun 28, 2021 - 7:25 p.m.

CVE-2021-32722 Uncontrolled Resource Consumption in GlobalNewFiles

2021-06-2819:25:11

CWE-400

GitHub_M

www.cve.org

cve-2021-32722

globalnewfiles

uncontrolled resource consumption

vulnerability

mediawiki

load balancing

database servers

rate limit

patch

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.3%

JSON

GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing and a lack of an appropriate index. As a workaround, one may avoid use of the extension unless additional rate limit at the MediaWiki level or via PoolCounter / MySQL is enabled. A patch is available in version 48be7adb70568e20e961ea1cb70904454a671b1d.

CNA Affected

[
  {
    "product": "GlobalNewFiles",
    "vendor": "miraheze",
    "versions": [
      {
        "status": "affected",
        "version": "< 48be7adb70568e20e961ea1cb70904454a671b1d"
      }
    ]
  }
]

References

github.com/miraheze/GlobalNewFiles/commit/48be7adb70568e20e961ea1cb70904454a671b1d

github.com/miraheze/GlobalNewFiles/pull/17

github.com/miraheze/GlobalNewFiles/security/advisories/GHSA-cwv5-c938-5h5h

phabricator.miraheze.org/T7532

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.3%

JSON

Related for CVELIST:CVE-2021-32722