Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 9: DLA-2648-1 Moderate: MediaWiki Denial of Service

debian lts
Calendar Grey May 5, 2021
Dist Debian Esm H88
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-
Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work

Summary

CVE-2021-20270

An infinite loop in SMLLexer in Pygments used by mediawiki as
one if its lexers may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as
demonstrated by input that only contains the "exception" keyword.

CVE-2021-27291

pygments, the lexers used by mediawiki rely heavily on regular
expressions. Some of the regular expressions have exponential or
cubic worst-case complexity and are vulnerable to ReDoS. By
crafting malicious input, an attacker can cause a denial of service.

CVE-2021-30152

An issue was discovered in MediaWiki. When using the MediaWiki
API to "protect" a page, a user is currently able to protect to a
higher level than they currently have permissions for.

CVE-2021-30155

An issue was discovered in MediaWiki before. ContentModelChange
does not check if a user has correct permissions to create and set
the content model of a nonexistent page.

CVE-2021-30158

Read the Full Advisory


Package: mediawiki
Version: 1:1.27.7-1~deb9u8
CVE ID: CVE-2021-20270 CVE-2021-27291 CVE-2021-30152
Debian Bug: 985574 984664

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here