CVE-2024-47913: Improper permissions handling in MediaWiki AbuseFilter

October 5, 2024 (updated December 6, 2024)

An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter.

References

gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/1076855
github.com/advisories/GHSA-rmcp-9fhq-58pv
github.com/wikimedia/mediawiki-extensions-AbuseFilter
nvd.nist.gov/vuln/detail/CVE-2024-47913
phabricator.wikimedia.org/T372998

Code Behaviors & Features

Detect and mitigate CVE-2024-47913 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →