CVE-2022-34750

Published: Jun 28, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in MediaWiki through 1.38.1. The lemma length of a Wikibase lexeme is currently capped at a thousand characters. Unfortunately, this length is not validated, allowing much larger lexemes to be created, which introduces various denial-of-service attack vectors within the Wikibase and WikibaseLexeme extensions. This is related to Special:NewLexeme and Special:NewProperty.

Affected (1)

Products: Mediawiki: Mediawiki

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mediawiki Mediawiki	Up to 1.38.1

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (6)

https://gerrit.wikimedia.org/r/q/I8171bfef73e525d73efa60b407ce147130ea4742

Source: cve@mitre.org

Vendor Advisory

https://gerrit.wikimedia.org/r/q/Id89a9b08e40f075d2d422cafd03668dff3ce7fc9

Source: cve@mitre.org

Vendor Advisory

https://phabricator.wikimedia.org/T308659

Source: cve@mitre.org

Mailing List

https://gerrit.wikimedia.org/r/q/I8171bfef73e525d73efa60b407ce147130ea4742

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://gerrit.wikimedia.org/r/q/Id89a9b08e40f075d2d422cafd03668dff3ce7fc9

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://phabricator.wikimedia.org/T308659

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.