Lucene search

GitHub_MVULNRICHMENT:CVE-2024-29883

HistoryMar 26, 2024 - 1:37 p.m.

CVE-2024-29883 CreateWiki's wiki request suppression ignores the suppression settings set by the suppressor

2024-03-2613:37:48

CWE-200

GitHub_M

github.com

cve-2024-29883

createwiki

miraheze's mediawiki

suppression

visibility issue

wiki request

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the (createwiki) user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.

CNA Affected

[
  {
    "vendor": "miraheze",
    "product": "CreateWiki",
    "versions": [
      {
        "version": "< 0c7c4f93834349be8f5c2a678e9a85b4b1aa7bab",
        "status": "affected"
      }
    ]
  }
]

References

gist.githubusercontent.com/redbluegreenhat/0da1ebb7185b241ce1ac6ba1e8f0b98d/raw/44c4a229aacc8233808c767a79af9e4fd581ae68/T11993.patch

github.com/miraheze/CreateWiki/security/advisories/GHSA-8wjf-mxjg-j8p9

issue-tracker.miraheze.org/T11993

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-29883