Vulnerability CVE-2012-1581

Vulnerability Name:

CVE-2012-1581 (CCN-78910)

Assigned:

2012-03-22

Published:

2012-03-22

Updated:

2017-08-29

Summary:

MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2012-1581

Source: CCN
Type: MediaWiki Web Site
MediaWiki security and maintenance release 1.17.3

Source: MLIST
Type: Vendor Advisory
[MediaWiki-announce] 20120322 MediaWiki security and maintenance release 1.17.3

Source: MLIST
Type: Vendor Advisory
[MediaWiki-announce] 20120322 MediaWiki security and maintenance release 1.18.2

Source: CCN
Type: SA48504
MediaWiki Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
48504

Source: MLIST
Type: UNKNOWN
[oss-security] 20120322 MediaWiki security and maintenance release 1.18.2

Source: MLIST
Type: UNKNOWN
[oss-security] 20120323 CVEs for MediaWiki security and maintenance release 1.18.2

Source: BID
Type: UNKNOWN
52689

Source: CCN
Type: BID-52689
MediaWiki Multiple Security Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.wikimedia.org/show_bug.cgi?id=35078

Source: XF
Type: UNKNOWN
mediawiki-random-numbers-sec-bypass(78910)

Source: XF
Type: UNKNOWN
mediawiki-random-numbers-sec-bypass(78910)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mediawiki:mediawiki:1.17:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17:beta_1:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.0:rc1:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:mediawiki:mediawiki:1.18:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18:beta_1:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.0:rc1:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mediawiki:mediawiki:1.17.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.2:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.17.0:rc1:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.18.0:rc1:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20121581000	V	CVE-2012-1581 on Ubuntu 12.04 LTS (precise) - low.	2012-09-09
oval:com.ubuntu.trusty:def:20121581000	V	CVE-2012-1581 on Ubuntu 14.04 LTS (trusty) - low.	2012-09-09

BACK