CVE-2018-0503 — Mediawiki Improper Privilege Management

Description

Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

How to fix CVE-2018-0503

To remediate CVE-2018-0503, upgrade the affected package to a fixed version below.

Debian/mediawiki—upgrade to 1:1.31.1-1 or later
—upgrade to 1:1.27.5-1~deb9u1 or later
—upgrade to 1.27.5 or later

Is CVE-2018-0503 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1:1.31.1-1
from 0, < 1:1.27.5-1~deb9u1
>= 1.27.0, < 1.27.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-0503
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-0503
PATCHgithub.com/wikimedia/mediawiki
WEBaccess.redhat.com/errata/RHSA-2019:3142
WEB