Vulnerability CVE-2015-8001

Vulnerability Name:

CVE-2015-8001 (CCN-107703)

Assigned:

2015-10-29

Published:

2015-10-29

Updated:

2015-11-10

Summary:

The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size.

CVSS v3 Severity:

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-284

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2015-8001

Source: CCN
Type: SECTRACK ID: 1034028
MediaWiki Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Bypass Security and Deny Service

Source: SECTRACK
Type: UNKNOWN
1034028

Source: XF
Type: UNKNOWN
mediawiki-cve20158001-dos(107703)

Source: MLIST
Type: Patch, Vendor Advisory
[MediaWiki-announce] 20151016 Security Release: 1.25.3, 1.24.4 and 1.23.11

Source: CONFIRM
Type: Vendor Advisory
https://phabricator.wikimedia.org/T91203

Source: CCN
Type: MediaWiki Web site
MediaWiki

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-8001

Vulnerable Configuration:

Configuration 1:

cpe:/a:mediawiki:mediawiki:*:*:*:*:*:*:*:* (Version <= 1.23.10)

OR cpe:/a:mediawiki:mediawiki:1.24.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.2:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.3:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.disco:def:201580010000000	V	CVE-2015-8001 on Ubuntu 19.04 (disco) - low.	2015-11-09
oval:com.ubuntu.artful:def:20158001000	V	CVE-2015-8001 on Ubuntu 17.10 (artful) - low.	2015-11-09
oval:com.ubuntu.trusty:def:20158001000	V	CVE-2015-8001 on Ubuntu 14.04 LTS (trusty) - low.	2015-11-09
oval:com.ubuntu.bionic:def:20158001000	V	CVE-2015-8001 on Ubuntu 18.04 LTS (bionic) - low.	2015-11-09
oval:com.ubuntu.cosmic:def:201580010000000	V	CVE-2015-8001 on Ubuntu 18.10 (cosmic) - low.	2015-11-09
oval:com.ubuntu.cosmic:def:20158001000	V	CVE-2015-8001 on Ubuntu 18.10 (cosmic) - low.	2015-11-09
oval:com.ubuntu.bionic:def:201580010000000	V	CVE-2015-8001 on Ubuntu 18.04 LTS (bionic) - low.	2015-11-09
oval:com.ubuntu.precise:def:20158001000	V	CVE-2015-8001 on Ubuntu 12.04 LTS (precise) - low.	2015-11-09

BACK