{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47816", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-03T14:06:12.638Z", "datePublished": "2024-10-09T18:19:17.108Z", "dateUpdated": "2024-10-09T19:44:51.132Z"}, "containers": {"cna": {"title": "Users can impersonate import requesters if their actor IDs coincide in ImportDump", "problemTypes": [{"descriptions": [{"cweId": "CWE-282", "lang": "en", "description": "CWE-282: Improper Ownership Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387"}, {"name": "https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c", "tags": ["x_refsource_MISC"], "url": "https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c"}, {"name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc", "tags": ["x_refsource_MISC"], "url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"}, {"name": "https://issue-tracker.miraheze.org/T12701", "tags": ["x_refsource_MISC"], "url": "https://issue-tracker.miraheze.org/T12701"}], "affected": [{"vendor": "miraheze", "product": "ImportDump", "versions": [{"version": "commits prior to 5c91dfc", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-09T18:19:17.108Z"}, "descriptions": [{"lang": "en", "value": "ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that."}], "source": {"advisory": "GHSA-jjmq-mg36-6387", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-09T19:44:13.313675Z", "id": "CVE-2024-47816", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T19:44:51.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-09T19:44:13.313675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T19:44:35.555Z"}}], "cna": {"title": "Users can impersonate import requesters if their actor IDs coincide in ImportDump", "source": {"advisory": "GHSA-jjmq-mg36-6387", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "miraheze", "product": "ImportDump", "versions": [{"status": "affected", "version": "commits prior to 5c91dfc"}]}], "references": [{"url": "https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387", "name": "https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c", "name": "https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc", "name": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc", "tags": ["x_refsource_MISC"]}, {"url": "https://issue-tracker.miraheze.org/T12701", "name": "https://issue-tracker.miraheze.org/T12701", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-282", "description": "CWE-282: Improper Ownership Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-09T18:19:17.108Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47816", "state": "PUBLISHED", "dateUpdated": "2024-10-09T19:44:51.132Z", "dateReserved": "2024-10-03T14:06:12.638Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-09T18:19:17.108Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that."}, {"lang": "es", "value": "ImportDump es una extensi\u00f3n de MediaWiki dise\u00f1ada para automatizar las solicitudes de importaci\u00f3n de los usuarios. El ID de actor local de un usuario se almacena en la base de datos para indicar qui\u00e9n realiz\u00f3 qu\u00e9 solicitudes. Por lo tanto, si un usuario de otra wiki tiene el mismo ID de actor que alguien de la wiki central, el usuario de la otra wiki puede actuar como si fuera el solicitante original de la wiki. Esto se puede aprovechar para crear nuevos comentarios, editar la solicitud y ver la solicitud si est\u00e1 marcada como privada. Este problema se ha solucionado en el commit `5c91dfc` y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar pueden deshabilitar la p\u00e1gina especial fuera de su wiki global. Consulte `miraheze/mw-config@e566499` para obtener m\u00e1s detalles al respecto."}], "id": "CVE-2024-47816", "lastModified": "2024-10-10T12:51:56.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-09T19:15:14.227", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/miraheze/ImportDump/commit/5c91dfce78320e717516ee65ef5a05f01979ee6c"}, {"source": "security-advisories@github.com", "url": "https://github.com/miraheze/ImportDump/security/advisories/GHSA-jjmq-mg36-6387"}, {"source": "security-advisories@github.com", "url": "https://github.com/miraheze/mw-config/commit/e5664995fbb8644f9a80b450b4326194f20f9ddc"}, {"source": "security-advisories@github.com", "url": "https://issue-tracker.miraheze.org/T12701"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-282"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}