Lucene search

GitHub_MVULNRICHMENT:CVE-2024-29898

HistoryMar 28, 2024 - 1:43 p.m.

CVE-2024-29898 Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis

2024-03-2813:43:07

CWE-200

GitHub_M

github.com

vulnerability

mediawiki extension

exposure

private wikis

patch

requestwikiqueue

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the (read) permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.

CNA Affected

[
  {
    "vendor": "miraheze",
    "product": "CreateWiki",
    "versions": [
      {
        "status": "affected",
        "version": "23415c17ffb4832667c06abcf1eadadefd4c8937"
      }
    ]
  }
]

References

github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c

github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq

github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-29898