Cyber Resilience

CVE-2023-45363

HighPublic PoCDDoS

Published: 09 October 2023

Published
09 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1103 93.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45363 is a high-severity Infinite Loop (CWE-835) vulnerability in Mediawiki Mediawiki. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an unbounded loop condition, tracked as CWE-835, in the ApiPageSet.php component of MediaWiki. It affects versions prior to 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. When the API receives a query for pages that redirect to other variants while both the redirects and converttitles parameters are set, the loop executes without termination and triggers a RequestTimeoutException, resulting in denial of service.

Unauthenticated remote attackers can exploit the flaw over the network by submitting crafted API requests that satisfy the redirect and title-conversion conditions. Successful exploitation produces only availability impact, with no effect on confidentiality or integrity, consistent with the CVSS 7.5 rating.

Debian security advisories DSA-5520 and the corresponding LTS announcements, along with Wikimedia Phabricator task T333050, direct administrators to apply the fixed releases 1.35.12, 1.39.5, or 1.40.1. The EPSS score remains flat at 0.1103 with no material increase after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with…

more

redirects and converttitles set.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mediawiki
mediawiki
1.40.0 · ≤ 1.35.12 · 1.36.0 — 1.39.5
debian
debian linux
11.0, 12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-835

Enables transfer to alternate site if an infinite loop at the primary renders processing unavailable.

addresses: CWE-835

Detects and mitigates infinite loops that produce sustained resource consumption.

References