CVE-2021-32774 - OpenCVE

DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Miraheze	Datadump

Configuration 1 [-]

cpe:2.3:a:miraheze:datadump:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b
https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr
https://phabricator.miraheze.org/T7593

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-07-20T00:35:11

Updated: 2024-08-03T23:33:55.818Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32774

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-07-20T01:15:40.597

Modified: 2021-07-28T19:00:20.840

Link: CVE-2021-32774

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DataDump", "vendor": "miraheze", "versions": [{"status": "affected", "version": "< 67a82b76e186925330b89ace9c5fd893a300830b"}]}], "descriptions": [{"lang": "en", "value": "DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-20T00:35:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b"}, {"tags": ["x_refsource_MISC"], "url": "https://phabricator.miraheze.org/T7593"}], "source": {"advisory": "GHSA-29mh-4vhv-x8mr", "discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery (CSRF) in DataDump", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32774", "STATE": "PUBLIC", "TITLE": "Cross-Site Request Forgery (CSRF) in DataDump"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DataDump", "version": {"version_data": [{"version_value": "< 67a82b76e186925330b89ace9c5fd893a300830b"}]}}]}, "vendor_name": "miraheze"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr", "refsource": "CONFIRM", "url": "https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr"}, {"name": "https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b", "refsource": "MISC", "url": "https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b"}, {"name": "https://phabricator.miraheze.org/T7593", "refsource": "MISC", "url": "https://phabricator.miraheze.org/T7593"}]}, "source": {"advisory": "GHSA-29mh-4vhv-x8mr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.818Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://phabricator.miraheze.org/T7593"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32774", "datePublished": "2021-07-20T00:35:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.818Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:miraheze:datadump:*:*:*:*:*:*:*:*", "matchCriteriaId": "106D06B4-4C0F-4168-BBD1-A08DFBB79752", "versionEndExcluding": "2021-07-07", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump."}, {"lang": "es", "value": "DataDump es una extensi\u00f3n de MediaWiki que proporciona volcados de wikis. Anterior al commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump no ten\u00eda protecci\u00f3n contra ataques de tipo CSRF, por lo que las peticiones para generar o eliminar volcados pod\u00edan ser falsificadas. La vulnerabilidad fue parcheada en el commit 67a82b76e186925330b89ace9c5fd893a300830b. No hay soluciones conocidas. Debes desactivar completamente DataDump"}], "id": "CVE-2021-32774", "lastModified": "2021-07-28T19:00:20.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-07-20T01:15:40.597", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/miraheze/DataDump/commit/67a82b76e186925330b89ace9c5fd893a300830b"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://phabricator.miraheze.org/T7593"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}