OpenCVE

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq
https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-28T13:43:07.988Z

Updated: 2024-08-02T01:17:58.434Z

Reserved: 2024-03-21T15:12:08.998Z

Link: CVE-2024-29898

Vulnrichment

Updated: 2024-08-02T01:17:58.434Z

NVD

Status : Awaiting Analysis

Published: 2024-03-28T14:15:14.783

Modified: 2024-11-21T09:08:34.523

Link: CVE-2024-29898

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-21T15:12:08.998Z", "datePublished": "2024-03-28T13:43:07.988Z", "dateUpdated": "2024-08-02T01:17:58.434Z"}, "containers": {"cna": {"title": "Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"}, {"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "tags": ["x_refsource_MISC"], "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"}, {"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "tags": ["x_refsource_MISC"], "url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"}], "affected": [{"vendor": "miraheze", "product": "CreateWiki", "versions": [{"version": "23415c17ffb4832667c06abcf1eadadefd4c8937", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-28T13:43:07.988Z"}, "descriptions": [{"lang": "en", "value": "CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c."}], "source": {"advisory": "GHSA-5rcv-cf88-gv8v", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:46:01.481261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:56:54.259Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:58.434Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"}, {"name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"}, {"name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:17:58.434Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:46:01.481261Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.129Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Oversight in fix for GHSA-4rcf-3cj2-46mq may have exposed suppressed wiki requests on private wikis", "source": {"advisory": "GHSA-5rcv-cf88-gv8v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "miraheze", "product": "CreateWiki", "versions": [{"status": "affected", "version": "23415c17ffb4832667c06abcf1eadadefd4c8937"}]}], "references": [{"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "name": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "name": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-28T13:43:07.988Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29898", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:17:58.434Z", "dateReserved": "2024-03-21T15:12:08.998Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-28T13:43:07.988Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. An oversight during the writing of the patch for CVE-2024-29897 may have exposed suppressed wiki requests to private wikis that added Special:RequestWikiQueue to the read whitelist to users without the `(read)` permission. This vulnerability is fixed in 8f8442ed5299510ea3e58416004b9334134c149c."}, {"lang": "es", "value": "CreateWiki es la extensi\u00f3n MediaWiki de Miraheze para solicitar y crear wikis. Un descuido durante la redacci\u00f3n del parche para CVE-2024-29897 puede haber expuesto solicitudes de wiki suprimidas a wikis privados que agregaron Special:RequestWikiQueue a la lista blanca de lectura para usuarios sin el permiso \"(lectura)\". Esta vulnerabilidad se soluciona en 8f8442ed5299510ea3e58416004b9334134c149c."}], "id": "CVE-2024-29898", "lastModified": "2024-11-21T09:08:34.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-28T14:15:14.783", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"}, {"source": "security-advisories@github.com", "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"}, {"source": "security-advisories@github.com", "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/miraheze/CreateWiki/commit/8f8442ed5299510ea3e58416004b9334134c149c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-4rcf-3cj2-46mq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/miraheze/CreateWiki/security/advisories/GHSA-5rcv-cf88-gv8v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}