First published: Mon Dec 26 2022(Updated: )
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The REST API publicly caches results from private wikis.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/mediawiki | 1:1.31.16-1+deb10u2 1:1.31.16-1+deb10u6 1:1.35.11-1~deb11u1 1:1.35.13-1~deb11u1 1:1.39.4-1~deb12u1 1:1.39.5-1~deb12u1 1:1.39.5-1 | |
MediaWiki MediaWiki | <1.35.5 | |
MediaWiki MediaWiki | >=1.36.0<1.36.3 | |
MediaWiki MediaWiki | =1.37.0 | |
MediaWiki MediaWiki | =1.37.0-rc0 | |
MediaWiki MediaWiki | =1.37.0-rc1 | |
MediaWiki MediaWiki | =1.37.0-rc2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-44854 is medium with a severity value of 5.3.
CVE-2021-44854 allows the REST API to publicly cache results from private wikis, potentially exposing sensitive information.
MediaWiki versions before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1 are affected by CVE-2021-44854.
For Debian's MediaWiki package, the remedy for CVE-2021-44854 is to update to version 1:1.39.5-1~deb12u1 or later.
More information about CVE-2021-44854 can be found at the following links: [phabricator.wikimedia.org](https://phabricator.wikimedia.org/T292763), [lists.wikimedia.org](https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/), and [security-tracker.debian.org](https://security-tracker.debian.org/tracker/CVE-2021-44854).