CVE-2021-31552 - OpenCVE

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mediawiki	Mediawiki

Configuration 1 [-]

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1
https://phabricator.wikimedia.org/T152394

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-22T02:29:41

Updated: 2024-08-03T23:03:33.164Z

Reserved: 2021-04-22T00:00:00

Link: CVE-2021-31552

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-22T03:15:08.163

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-31552

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-22T02:29:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://phabricator.wikimedia.org/T152394"}, {"tags": ["x_refsource_MISC"], "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31552", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://phabricator.wikimedia.org/T152394", "refsource": "MISC", "url": "https://phabricator.wikimedia.org/T152394"}, {"name": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1", "refsource": "MISC", "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:03:33.164Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://phabricator.wikimedia.org/T152394"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31552", "datePublished": "2021-04-22T02:29:41", "dateReserved": "2021-04-22T00:00:00", "dateUpdated": "2024-08-03T23:03:33.164Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "4067807D-769C-485F-A7E3-EE96885BDCE7", "versionEndIncluding": "1.35.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la extensi\u00f3n AbuseFilter para MediaWiki versiones hasta 1.35.2. Ejecut\u00f3 inapropiadamente determinadas reglas relacionadas con el bloqueo de cuentas despu\u00e9s de la creaci\u00f3n de la cuenta. Dichas reglas permitir\u00edan crear cuentas de usuario mientras se bloquea solo la direcci\u00f3n IP usada para crear una cuenta (y no la cuenta de usuario en s\u00ed). Estas reglas tambi\u00e9n podr\u00edan ser usadas por un usuario infame y sin privilegios para catalogar y enumerar cualquier n\u00famero de direcciones IP relacionadas con estas creaciones de cuentas"}], "id": "CVE-2021-31552", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-22T03:15:08.163", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gerrit.wikimedia.org/r/q/I8bae477ad7e4d0190335363ac2decf28e4313da1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://phabricator.wikimedia.org/T152394"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}