Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42.
The Lockdown extension is used to restrict access to MediaWiki namespaces and resources based on user groups. Due to incorrect permission assignment to critical resources, the access control mechanisms implemented by the extension can be bypassed via the MediaWiki Core Action API. An attacker — without requiring authentication, user interaction, or fulfillment of additional conditions — can gain access to resources that should be protected by Lockdown.
An attacker can gain unauthorized access to protected wiki resources and potentially escalate their privileges by bypassing restrictions imposed by the Lockdown extension. CVSS vectors indicate a high impact on the confidentiality, integrity, and availability of both the target system and related systems.
The Lockdown extension should be updated to version 1.42 or later. The fix is available in the Wikimedia Foundation Gerrit repository (Id275382743957004fa7fc56318fc104d8e2d267b). Details are available in the phabricator.wikimedia.org/T397521 issue report.
MediaWiki installations with the Lockdown extension installed — versions from the master branch prior to version 1.42. The fix was introduced in MediaWiki Core Action API.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X