Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1ycXZqLWZjMngtOTlxNs4AAmGM

High EPSS: 0.00246% (0.47716 Percentile) EPSS:
Permalink JSON

OATHAuth extension in MediaWiki is not implementing rate limit

Affected Packages Affected Versions Fixed Versions
packagist:mediawiki/core >= 1.32.0, < 1.34.3, >= 1.31.0, < 1.31.9 1.34.3, 1.31.9
4 Dependent packages
10 Dependent repositories
3,293 Downloads total

Affected Version Ranges

All affected versions

1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.31.4, 1.31.5, 1.31.6, 1.31.7, 1.31.8, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.32.4, 1.32.5, 1.32.6, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.34.0, 1.34.1, 1.34.2

All unaffected versions

1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.20.7, 1.20.8, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.21.7, 1.21.8, 1.21.9, 1.21.10, 1.21.11, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.24.4, 1.24.5, 1.24.6, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.25.5, 1.25.6, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.27.5, 1.27.6, 1.27.7, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.30.0, 1.30.1, 1.30.2, 1.31.9, 1.31.10, 1.31.11, 1.31.12, 1.31.13, 1.31.14, 1.31.15, 1.31.16, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.35.4, 1.35.5, 1.35.6, 1.35.7, 1.35.8, 1.35.9, 1.35.10, 1.35.11, 1.35.12, 1.35.13, 1.35.14, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.36.4, 1.37.0, 1.37.1, 1.37.2, 1.37.3, 1.37.4, 1.37.5, 1.37.6, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.38.5, 1.38.6, 1.38.7, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.39.5, 1.39.6, 1.39.7, 1.39.8, 1.39.9, 1.39.10, 1.39.11, 1.39.12, 1.39.13, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.41.4, 1.41.5, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.42.5, 1.42.6, 1.42.7, 1.43.0, 1.43.1, 1.43.2

An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.

References:

Identifiers

GHSA-rqvj-fc2x-99q6

CVE-2020-25827

Risk

Severity

High

EPSS

EPSS Percentage: 0.00246

EPSS Percentile: 0.47716

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 3 years ago

Updated

over 1 year ago

API

JSON