CVE-2013-2114
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-2114
Vendor advisory: secalert@redhat.com — https://bugzilla.wikimedia.org/show_bug.cgi?id=48306
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/55433
Vendor advisory: secalert@redhat.com — http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1:1.19.7+dfsg-1 |
| debian | bullseye | fixed | 1:1.19.7+dfsg-1 |
| debian | forky | fixed | 1:1.19.7+dfsg-1 |
| debian | sid | fixed | 1:1.19.7+dfsg-1 |
| debian | trixie | fixed | 1:1.19.7+dfsg-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| mediawiki | mediawiki | 1.19 | |
| mediawiki | mediawiki | 1.19.0 | |
| mediawiki | mediawiki | 1.19.1 | |
| mediawiki | mediawiki | 1.19.2 | |
| mediawiki | mediawiki | 1.19.3 | |
| mediawiki | mediawiki | 1.19.4 | |
| mediawiki | mediawiki | 1.19.5 | |
| mediawiki | mediawiki | 1.19.6 | |
| mediawiki | mediawiki | 1.20.1 | |
| mediawiki | mediawiki | 1.20.2 | |
| mediawiki | mediawiki | 1.20.3 | |
| mediawiki | mediawiki | 1.20.4 | |
| mediawiki | mediawiki | 1.20.5 | |
References
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-May/000131.html
- http://secunia.com/advisories/55433
- http://security.gentoo.org/glsa/glsa-201310-21.xml
- http://www.openwall.com/lists/oss-security/2013/05/24/3
- https://bugzilla.wikimedia.org/show_bug.cgi?id=48306
- https://security-tracker.debian.org/tracker/CVE-2013-2114
Verify integrity in audit chain (admin only). AS-IS.