CVE-2021-35197
HIGH7.5EPSS 0.73%mediawiki - security update
Published: 7/2/2021Modified: 3/9/2026
Also known as:DSA-4979-1DEBIAN-CVE-2021-35197DEBIAN-CVE-2021-41798DEBIAN-CVE-2021-41799DEBIAN-CVE-2021-41800DEBIAN-CVE-2021-41801
Description
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Affected packages (4)
- Bitnami/mediawikifrom 0, < 1.31.15, >= 1.32.0, < 1.35.3, >= 1.36.0, < 1.36.1
- Debian/mediawikifrom 0, < 1:1.35.4-1~deb11u1
- Debian/mediawikifrom 0, < 1:1.27.7-1~deb9u10
- Debian/mediawikifrom 0, < 1:1.31.16-1~deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (10)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-35197
- WEBhttps://lists.debian.org/debian-lts-announce/2021/10/msg00003.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- WEBhttps://lists.wikimedia.org/hyperkitty/list/mediawiki-announce%40lists.wikimedia.org/thread/YR3X4L2CPSEJVSY543AWEO65TD6APXHP/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-35197
- WEBhttps://phabricator.wikimedia.org/T280226
- WEBhttps://security.gentoo.org/glsa/202107-40
- WEBhttps://www.debian.org/security/2021/dsa-4979