Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
3

CVE-2021-32722

Disclosure Date: June 28, 2021
CVE-2021-32722 CVSS v3 Base Score: 6.5
Exploited in the Wild
Reported by RhinosF1
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

GlobalNewFiles is a mediawiki extension. Versions prior to 48be7adb70568e20e961ea1cb70904454a671b1d are affected by an uncontrolled resource consumption vulnerability. A large amount of page moves within a short space of time could overwhelm Database servers due to improper handling of load balancing and a lack of an appropriate index. As a workaround, one may avoid use of the extension unless additional rate limit at the MediaWiki level or via PoolCounter / MySQL is enabled. A patch is available in version 48be7adb70568e20e961ea1cb70904454a671b1d.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
UnauthenticatedVulnerable in default configuration
Technical Analysis

Impact is very dependant on your system. No measures were in place on the software level to control resources via processing of activity in the background or was performance taken into consideration so the larger the extension’s database the easier for it to fall over. The extension should be updating things in the background as the information it makes available is not instantly required and job runners are less likely to overwhelm the database due to their nature.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
GlobalNewFiles < 48be7adb70568e20e961ea1cb70904454a671b1d
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • miraheze

Products

  • globalnewfiles

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis