Lucene search

GitHub_MCVELIST:CVE-2024-29898

HistoryMar 28, 2024 - 1:43 p.m.

CVE-2024-29898 Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis

2024-03-2813:43:07

CWE-200

GitHub_M

www.cve.org

cve-2024-29898

oversight

ghsa-4rcf-3cj2-46mq

createwiki extension

miraheze's mediawiki

suppressed wiki requests

private wikis

vulnerability

patch

special:requestwikiqueue

read whitelist

permission

8f8442ed5299510ea3e58416004b9334134c149c

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

Percentile

15.5%

JSON

CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the (read) permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.

CNA Affected

[
  {
    "vendor": "miraheze",
    "product": "CreateWiki",
    "versions": [
      {
        "version": "23415c17ffb4832667c06abcf1eadadefd4c8937",
        "status": "affected"
      }
    ]
  }
]

References

github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c

github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq

github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for CVELIST:CVE-2024-29898