Lucene search

GoogleOSV:GHSA-C8WV-QWWC-6J73

HistoryMay 24, 2022 - 7:17 p.m.

MediaWiki allows a denial of service

2022-05-2419:17:14

Google

osv.dev

mediawiki

denial of service

1.36.2

resource consumption

lengthy query processing

special:contributions

sql query

poolcounter protection

vulnerability

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

66.3%

JSON

MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). Visiting Special:Contributions can sometimes result in a long running SQL query because PoolCounter protection is mishandled.

References

github.com/wikimedia/mediawiki/commit/781caf83dba90c18349f930bbaaa0e89f003f874

lists.fedoraproject.org/archives/list/[email protected]/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN

lists.fedoraproject.org/archives/list/[email protected]/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA

lists.fedoraproject.org/archives/list/[email protected]/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX

lists.wikimedia.org/hyperkitty/list/[email protected]/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5

nvd.nist.gov/vuln/detail/CVE-2021-41800

phabricator.wikimedia.org/T284419

security.gentoo.org/glsa/202305-24