CVE-2022-28201

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name	Vendor	Start Version	End Version
Mediawiki	Mediawiki	*	1.35.6 (excluding)
Mediawiki	Mediawiki	1.36.0 (including)	1.36.4 (excluding)
Mediawiki	Mediawiki	1.37.0 (including)	1.37.2 (excluding)
Mediawiki	Ubuntu	bionic	*
Mediawiki	Ubuntu	focal	*
Mediawiki	Ubuntu	impish	*
Mediawiki	Ubuntu	kinetic	*
Mediawiki	Ubuntu	lunar	*
Mediawiki	Ubuntu	mantic	*
Mediawiki	Ubuntu	oracular	*
Mediawiki	Ubuntu	plucky	*
Mediawiki	Ubuntu	trusty	*
Mediawiki	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/230.html
https://cwe.mitre.org/data/definitions/231.html

References

https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
https://phabricator.wikimedia.org/T297571
https://www.debian.org/security/2022/dsa-5246
https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
https://phabricator.wikimedia.org/T297571
https://www.debian.org/security/2022/dsa-5246

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-28201
CWE	https://cwe.mitre.org/data/definitions/674.html

Uncontrolled Recursion

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References