Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
3

CVE-2021-32722

Disclosure Date: June 28, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing and a lack of an appropriate index. As a workaround, one may avoid use of the extension unless additional rate limit at the MediaWiki level or via PoolCounter / MySQL is enabled. A patch is available in version 48be7adb70568e20e961ea1cb70904454a671b1d.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Impact is very dependant on your system. No measures were in place on the software level to control resources via processing of activity in the background or was performance taken into consideration so the larger the extension’s database the easier for it to fall over. The extension should be updating things in the background as the information it makes available is not instantly required and job runners are less likely to overwhelm the database due to their nature.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • miraheze

Products

  • globalnewfiles

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis