CVE-2022-28201

CVE-2022-28201

Name

CVE-2022-28201

Description

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://phabricator.wikimedia.org/T297571
MISC	https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html
MLIST	https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html
Third Party Advisory	https://www.debian.org/security/2022/dsa-5246

Type

URI

MISC

https://phabricator.wikimedia.org/T297571

MISC

https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html

MLIST

https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html

Third Party Advisory

https://www.debian.org/security/2022/dsa-5246

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:mediawiki:mediawiki::::::::`	mediawiki	>= None	< 1.35.6
`cpe:2.3:a:mediawiki:mediawiki::::::::`	mediawiki	>= 1.36.0	< 1.36.4
`cpe:2.3:a:mediawiki:mediawiki::::::::`	mediawiki	>= 1.37.0	< 1.37.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

mediawiki

>= None

< 1.35.6

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

mediawiki

>= 1.36.0

< 1.36.4

cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*

mediawiki

>= 1.37.0

< 1.37.2

References

Match rules

Vulnerable and fixed packages