CVE-2021-30152

An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to protect a page, a user is currently able to protect to a higher level than they currently have permissions for.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Mediawiki	Mediawiki	*	1.31.13 (excluding)
Mediawiki	Mediawiki	1.32.0 (including)	1.35.2 (excluding)
Mediawiki	Ubuntu	bionic	*
Mediawiki	Ubuntu	devel	*
Mediawiki	Ubuntu	esm-apps/bionic	*
Mediawiki	Ubuntu	esm-apps/focal	*
Mediawiki	Ubuntu	esm-apps/jammy	*
Mediawiki	Ubuntu	esm-apps/noble	*
Mediawiki	Ubuntu	focal	*
Mediawiki	Ubuntu	groovy	*
Mediawiki	Ubuntu	hirsute	*
Mediawiki	Ubuntu	impish	*
Mediawiki	Ubuntu	jammy	*
Mediawiki	Ubuntu	kinetic	*
Mediawiki	Ubuntu	lunar	*
Mediawiki	Ubuntu	mantic	*
Mediawiki	Ubuntu	noble	*
Mediawiki	Ubuntu	oracular	*
Mediawiki	Ubuntu	trusty	*
Mediawiki	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/122.html
https://cwe.mitre.org/data/definitions/233.html
https://cwe.mitre.org/data/definitions/58.html

References

https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26UJGHF7LJDOCQN6A3Z4PM7PYRKENJHE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OMSV7B2TCFBOCICN3B4SMQP5HVRJQIT/
https://phabricator.wikimedia.org/T270713
https://security.gentoo.org/glsa/202107-40
https://www.debian.org/security/2021/dsa-4889

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-30152
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References