CVE-2013-2032

Current Description

MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extension that only implements one of these blocks.

Basic Data

PublishedNovember 18, 2013
Last ModifiedOctober 18, 2016
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMediawikiMediawiki1.1.0*******
    2.3ApplicationMediawikiMediawiki1.10.0*******
    2.3ApplicationMediawikiMediawiki1.10.0rc1******
    2.3ApplicationMediawikiMediawiki1.10.0rc2******
    2.3ApplicationMediawikiMediawiki1.10.1*******
    2.3ApplicationMediawikiMediawiki1.10.2*******
    2.3ApplicationMediawikiMediawiki1.10.3*******
    2.3ApplicationMediawikiMediawiki1.10.4*******
    2.3ApplicationMediawikiMediawiki1.11*******
    2.3ApplicationMediawikiMediawiki1.11.0*******
    2.3ApplicationMediawikiMediawiki1.11.0rc1******
    2.3ApplicationMediawikiMediawiki1.11.1*******
    2.3ApplicationMediawikiMediawiki1.11.2*******
    2.3ApplicationMediawikiMediawiki1.12.0*******
    2.3ApplicationMediawikiMediawiki1.12.0rc1******
    2.3ApplicationMediawikiMediawiki1.12.1*******
    2.3ApplicationMediawikiMediawiki1.12.2*******
    2.3ApplicationMediawikiMediawiki1.12.3*******
    2.3ApplicationMediawikiMediawiki1.12.4*******
    2.3ApplicationMediawikiMediawiki1.13.0*******
    2.3ApplicationMediawikiMediawiki1.13.0rc1******
    2.3ApplicationMediawikiMediawiki1.13.0rc2******
    2.3ApplicationMediawikiMediawiki1.13.1*******
    2.3ApplicationMediawikiMediawiki1.13.2*******
    2.3ApplicationMediawikiMediawiki1.13.3*******
    2.3ApplicationMediawikiMediawiki1.13.4*******
    2.3ApplicationMediawikiMediawiki1.14.0*******
    2.3ApplicationMediawikiMediawiki1.14.0rc1******
    2.3ApplicationMediawikiMediawiki1.14.1*******
    2.3ApplicationMediawikiMediawiki1.15.0*******
    2.3ApplicationMediawikiMediawiki1.15.0rc1******
    2.3ApplicationMediawikiMediawiki1.15.1*******
    2.3ApplicationMediawikiMediawiki1.15.2*******
    2.3ApplicationMediawikiMediawiki1.15.3*******
    2.3ApplicationMediawikiMediawiki1.15.4*******
    2.3ApplicationMediawikiMediawiki1.15.5*******
    2.3ApplicationMediawikiMediawiki1.16.0*******
    2.3ApplicationMediawikiMediawiki1.16.0beta1******
    2.3ApplicationMediawikiMediawiki1.16.0beta2******
    2.3ApplicationMediawikiMediawiki1.16.0beta3******
    2.3ApplicationMediawikiMediawiki1.16.1*******
    2.3ApplicationMediawikiMediawiki1.16.2*******
    2.3ApplicationMediawikiMediawiki1.17*******
    2.3ApplicationMediawikiMediawiki1.17beta_1******
    2.3ApplicationMediawikiMediawiki1.17.0*******
    2.3ApplicationMediawikiMediawiki1.17.0rc1******
    2.3ApplicationMediawikiMediawiki1.17.1*******
    2.3ApplicationMediawikiMediawiki1.17.2*******
    2.3ApplicationMediawikiMediawiki1.17.3*******
    2.3ApplicationMediawikiMediawiki1.17.4*******
    2.3ApplicationMediawikiMediawiki1.18*******
    2.3ApplicationMediawikiMediawiki1.18beta_1******
    2.3ApplicationMediawikiMediawiki1.18.0*******
    2.3ApplicationMediawikiMediawiki1.18.0rc1******
    2.3ApplicationMediawikiMediawiki1.18.1*******
    2.3ApplicationMediawikiMediawiki1.18.2*******
    2.3ApplicationMediawikiMediawiki1.18.3*******
    2.3ApplicationMediawikiMediawiki1.19*******
    2.3ApplicationMediawikiMediawiki1.19beta_1******
    2.3ApplicationMediawikiMediawiki1.19beta_2******
    2.3ApplicationMediawikiMediawiki1.19.0*******
    2.3ApplicationMediawikiMediawiki1.19.1*******
    2.3ApplicationMediawikiMediawiki1.19.2*******
    2.3ApplicationMediawikiMediawiki1.19.3*******
    2.3ApplicationMediawikiMediawiki1.19.4*******
    2.3ApplicationMediawikiMediawiki********1.19.5
    2.3ApplicationMediawikiMediawiki1.20.1*******
    2.3ApplicationMediawikiMediawiki1.20.2*******
    2.3ApplicationMediawikiMediawiki1.20.3*******
    2.3ApplicationMediawikiMediawiki1.20.4*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSFedoraprojectFedora17*******
    2.3OSFedoraprojectFedora18*******
    2.3OSFedoraprojectFedora19*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSGentooLinux********

Vulnerable Software List

VendorProductVersions
Mediawiki Mediawiki *, 1.1.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.14.0, 1.14.1, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.16.0, 1.16.1, 1.16.2, 1.17, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.19, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.20.1, 1.20.2, 1.20.3, 1.20.4
Fedoraproject Fedora 17, 18, 19
Gentoo Linux *

References

NameSourceURLTags
FEDORA-2013-7701http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105784.htmlFEDORAThird Party Advisory
FEDORA-2013-7714http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105825.htmlFEDORAThird Party Advisory
FEDORA-2013-7654http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106293.htmlFEDORAThird Party Advisory
[MediaWiki-announce] 20130430 MediaWiki Security Release: 1.20.5 and 1.19.6http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000129.htmlMLISTPatch
55433http://secunia.com/advisories/55433SECUNIA
GLSA-201310-21http://security.gentoo.org/glsa/glsa-201310-21.xmlGENTOOThird Party Advisory
https://bugzilla.wikimedia.org/show_bug.cgi?id=46590https://bugzilla.wikimedia.org/show_bug.cgi?id=46590CONFIRMIssue Tracking Patch