VDB
CVE-2021-35197
CVE-2021-35197
PUBLISHED
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
EPSS 0.73% · 73.1th percentile
Risk Scores
EPSS Score
0.73%
73.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | mediawiki | 1:1.35.6-1, 1:1.35.5-1ubuntu1, 1:1.35.4-1 |
| Ubuntu:25.10 | mediawiki | 0, 1:1.43.1+dfsg-1, 1:1.43.1+dfsg-2 |
| Ubuntu:20.04:LTS | mediawiki | 1:1.31.2-1ubuntu1, 1:1.31.5-1, 1:1.31.5-1ubuntu1 |
| Ubuntu:18.04:LTS | mediawiki | 1:1.27.4-3, 0, 1:1.27.3-1 |
| Ubuntu:24.04:LTS | mediawiki | 1:1.39.7-1, 1:1.39.6-1, 1:1.39.5-1 |
Exploit Intelligence
- https://phabricator.wikimedia.org/T280226 (nist-nvd)
- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/ (circl)
- GLSA-202107-40 (circl)
- DSA-4979 (circl)
- [debian-lts-announce] 20211009 [SECURITY] [DLA 2779-1] mediawiki security update (circl)
- FEDORA-2021-eee8b7514f (circl)
- FEDORA-2021-56d8173b5e (circl)
- FEDORA-2021-3dd1b66cbf (circl)
Timeline
- Jul 2, 2021 CVE Published
- Jul 3, 2021 EPSS Score
- Sep 1, 2021 EPSS Score
- Oct 10, 2021 EPSS Score
- Oct 11, 2021 EPSS Score
- Oct 31, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jun 28, 2022 EPSS Score
- Aug 28, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-35197 third-party-advisory
- https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/ third-party-advisory
- https://phabricator.wikimedia.org/T280226 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-35197 third-party-advisory