Lucene search

GoogleOSV:CVE-2024-29898

HistoryMar 28, 2024 - 2:15 p.m.

CVE-2024-29898

2024-03-2814:15:14

Google

osv.dev

miraheze

createwiki

mediawiki

extension

requestwikiqueue

vulnerability

patch

oversight

suppressed wiki requests

private wikis

read whitelist

users

permission

fixed.

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

Low

EPSS

Percentile

15.5%

JSON

CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the (read) permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.

References

github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c

github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq

github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for OSV:CVE-2024-29898