Candidate: CVE-2021-45038
PublicDate: 2021-12-17 04:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45038
 https://phabricator.wikimedia.org/T297574
 https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
Description:
 An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3,
 and 1.37.x before 1.37.1. By using an action=rollback query, attackers can
 view private wiki contents.
Ubuntu-Description:
Notes:
 sbeattie> include upstream dda5355c0ee804c94ff371a8a16c4a2a8e4436bd as
   a prerequisite to the fix for this CVE to make it apply more cleanly.
 sbeattie> introduced in 0a8403271109 (v1.33.0)
Mitigation:
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/mediawiki/+bug/1955352
 https://phabricator.wikimedia.org/T297574
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_mediawiki:
 upstream: https://github.com/wikimedia/mediawiki/commit/03d5b2752cffbdc233be7cb610c92369709323b3
upstream_mediawiki: released (1:1.35.5-1)
trusty_mediawiki: not-affected (code not present)
xenial_mediawiki: DNE
bionic_mediawiki: not-affected (code not present)
focal_mediawiki: not-affected (code not present)
hirsute_mediawiki: ignored (reached end-of-life)
impish_mediawiki: needed
jammy_mediawiki: not-affected (1:1.35.5-1)
devel_mediawiki: not-affected (1:1.35.5-1)