製品・ソフトウェアに関する情報

JVN脆弱性詳細

MediaWiki における脆弱性

Title	MediaWiki における脆弱性
Summary	MediaWiki には、不特定の脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 19, 2021, midnight
Registration Date	Dec. 14, 2021, 6:01 p.m.
Last Update	Dec. 14, 2021, 6:01 p.m.

Affected System

Debian

Debian GNU/Linux

Fedora Project

Fedora

MediaWiki

MediaWiki 1.31.12 未満

MediaWiki 1.32.x 以上 1.35.2 未満の 1.35.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-30159	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30159
National Vulnerability Database (NVD)
2	CVE-2021-30159	https://nvd.nist.gov/vuln/detail/CVE-2021-30159

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 2648-1] mediawiki security update	https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
2	[SECURITY] [DLA 2648-2] mediawiki regression update	https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
Debian Security Advisory
3	DSA-4889-1	https://www.debian.org/security/2021/dsa-4889
Fedora Update Notification
4	FEDORA-2021-d298103d3a	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
5	FEDORA-2021-f4223b6684	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
Phabricator
6	T272386	https://phabricator.wikimedia.org/T272386

Change Log

No	Changed Details	Date of change
1	[2021年12月14日] 掲載	Dec. 14, 2021, 6:01 p.m.

NVD Vulnerability Information

CVE-2021-30159

Summary	An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
Publication Date	April 9, 2021, 4:15 p.m.
Registration Date	April 9, 2021, 8:04 p.m.
Last Update	Nov. 21, 2024, 3:03 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html	Third Party Advisory
2	https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html	Third Party Advisory
3	https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html	Mailing List Third Party Advisory
4	https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html	Mailing List Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
9	https://phabricator.wikimedia.org/T272386	Exploit Patch Vendor Advisory
10	https://phabricator.wikimedia.org/T272386	Exploit Patch Vendor Advisory
11	https://security.gentoo.org/glsa/202107-40	Third Party Advisory
12	https://security.gentoo.org/glsa/202107-40	Third Party Advisory
13	https://www.debian.org/security/2021/dsa-4889	Third Party Advisory
14	https://www.debian.org/security/2021/dsa-4889	Third Party Advisory

Common Vulnerabilities List