Skip to content

Uncontrolled Resource Consumption in GlobalNewFiles

Moderate
RhinosF1 published GHSA-cwv5-c938-5h5h Jun 26, 2021

Package

GlobalNewFiles (MediaWiki Extension)

Affected versions

Prior to. 48be7adb70568e20e961ea1cb70904454a671b1d

Patched versions

48be7adb70568e20e961ea1cb70904454a671b1d

Description

Impact

A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing, lack of an appropriate index on the database and the fact that updates were performed in the foreground rather than using the Jobs system.

Patches

Use any version after and including commit 48be7ad

Workarounds

You can consider other rate limit solutions like PoolCounter. Impact will vary based on usage and available resources.

References

https://phabricator.miraheze.org/T7532

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2021-32722

Weaknesses

Credits