Launchpad.net

CVE 2021-44857

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. It is possible to use action=mcrundo followed by action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for). This applies to any public wiki, or a private wiki that has at least one page set in $wgWhitelistRead.

Related bugs and status

CVE-2021-44857 (Candidate) is related to these bugs:

Bug #1955352: Vulnerable to information disclosure through various actions

		In	Importance	Status
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu)	Medium	Fix Released
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu Jammy)	Medium	Fix Released
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu Hirsute)	Medium	Won't Fix
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu Bionic)	Medium	In Progress
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu Impish)	Medium	Won't Fix
1955352	Vulnerable to information disclosure through various actions	mediawiki (Ubuntu Focal)	Medium	In Progress

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2021-44857

Related bugs and status

Related bugs

References