MediaWiki Denial of Service vulnerability
High severity
GitHub Reviewed
Published
to the GitHub Advisory Database
•
Updated
Package
mediawiki/core
(Composer)
Affected versions
< 1.35.12
>= 1.36.0, < 1.39.5
= 1.40.0
Patched versions
1.35.12
1.39.5
1.40.1
Description
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with redirects and converttitles set.
References
Published by the National Vulnerability Database
Published to the GitHub Advisory Database
Reviewed
Last updated
Severity
High
/ 10
CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
None
Integrity
None
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS score
(97th percentile)
Weaknesses
CVE ID
CVE-2023-45363
GHSA ID
GHSA-w5fx-cx7f-6vr9
Source code
Credits
-
👁 @Rudloff
Rudloff Analyst
See something to contribute?
Suggest improvements for this vulnerability.