CVE-2015-8627 - Improper Access Control

Severity

50%

Complexity

99%

Confidentiality

48%

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed.

CVSS 3.0 Base Score 5.3. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N).

Overview

First reported 8 years ago

2017-03-23 20:59:00

Last updated 8 years ago

2017-03-27 14:18:00

Affected Software

Mediawiki

MediaWiki 1.24.0

1.24.0

MediaWiki 1.24.1

1.24.1

MediaWiki 1.24.2

1.24.2

MediaWiki 1.24.3

1.24.3

MediaWiki 1.24.4

1.24.4

MediaWiki 1.25.0

1.25.0

MediaWiki 1.25.1

1.25.1

MediaWiki 1.25.2

1.25.2

MediaWiki 1.25.3

1.25.3

MediaWiki 1.26.0

1.26.0

References

[oss-security] 20151221 CVE requests for MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12

Mailing List, Patch, Third Party Advisory

[oss-security] 20151223 Re: CVE requests for MediaWiki 1.26.1, 1.25.4, 1.24.5 and 1.23.12