CVE-2022-41766: User Name Leak in MediaWiki Rollback Feature

A critical vulnerability has been discovered in MediaWiki, the popular open-source wiki software, that allows an attacker to potentially access the username of a user even when the user has been revision deleted/suppressed. The vulnerability has been assigned the identifier CVE-2022-41766 and affects MediaWiki versions before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3.

The issue occurs during a rollback operation, which is when a user attempts to revert the most recent edits made by another user. The vulnerability generates the "alreadyrolled" message response, which can inadvertently reveal the username of the affected user.

Exploit Details

The vulnerability is triggered when an action=rollback operation takes place within the affected MediaWiki installations. When a user has been revision deleted or suppressed, the alreadyrolled message response that the platform generates can leak that username.

Here's a code snippet representing the action=rollback operation

$action = [
  'action' => 'rollback',
  'title' => 'Page title',
  'user' => 'Username',
  'token' => 'rollback token',
];

Where "Page title" is the title of the page being rolled back and "Username" is the user whose edits are being rolled back.

The following links provide more information about the vulnerability and the actions taken to mitigate its impact:

1. MediaWiki Security Release: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/49S5BRNBBSDZGTK6EE3PU5JPDD2OVGOW/
2. MediaWiki Security Tracker: https://phabricator.wikimedia.org/T305371
3. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41766

Mitigation

To mitigate this vulnerability, users are strongly encouraged to update their MediaWiki installations to the latest patched versions:

1.38.3, for users running MediaWiki 1.38.x

To update MediaWiki, follow the instructions provided in the MediaWiki upgrade documentation: https://www.mediawiki.org/wiki/Manual:Upgrading

Moreover, MediaWiki administrators should assess their revision deletion and suppression policies, ensuring that proper permissions are in place to prevent unauthorized access to sensitive information.

Conclusion

The CVE-2022-41766 vulnerability poses a significant risk to users who have their usernames revision deleted or suppressed within vulnerable MediaWiki installations. By promptly updating vulnerable MediaWiki versions and reviewing internal policies, administrators can mitigate this risk, ensuring the confidentiality of their users' information remains intact.

Timeline

Published on: 05/29/2023 21:15:00 UTC
Last modified on: 06/05/2023 14:24:00 UTC