Gentoo FoundationGLSA-200407-09MoinMoin: Group ACL bypass
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
85.5%
Background
MoinMoin is a Python clone of WikiWiki, based on PikiPiki.
Description
MoinMoin contains a bug in the code handling administrative group ACLs. A user created with the same name as an administrative group gains the privileges of the administrative group.
Impact
If an administrative group called AdminGroup existed an attacker could create a user called AdminGroup and gain the privileges of the group AdminGroup. This could lead to unauthorized users gaining administrative access.
Workaround
For every administrative group with special privileges create a user with the same name as the group.
Resolution
All users should upgrade to the latest available version of MoinMoin, as follows:
# emerge sync
# emerge -pv ">=www-apps/moinmoin-1.2.2"
# emerge ">=www-apps/moinmoin-1.2.2"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | www-apps/moinmoin | <= 1.2.1 | UNKNOWN |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
85.5%