CVE-2023-45363
Published: 09 October 2023
Summary
CVE-2023-45363 is a high-severity Infinite Loop (CWE-835) vulnerability in Mediawiki Mediawiki. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an unbounded loop condition, tracked as CWE-835, in the ApiPageSet.php component of MediaWiki. It affects versions prior to 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. When the API receives a query for pages that redirect to other variants while both the redirects and converttitles parameters are set, the loop executes without termination and triggers a RequestTimeoutException, resulting in denial of service.
Unauthenticated remote attackers can exploit the flaw over the network by submitting crafted API requests that satisfy the redirect and title-conversion conditions. Successful exploitation produces only availability impact, with no effect on confidentiality or integrity, consistent with the CVSS 7.5 rating.
Debian security advisories DSA-5520 and the corresponding LTS announcements, along with Wikimedia Phabricator task T333050, direct administrators to apply the fixed releases 1.35.12, 1.39.5, or 1.40.1. The EPSS score remains flat at 0.1103 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2825
Vulnerability details
An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allows attackers to cause a denial of service (unbounded loop and RequestTimeoutException) when querying pages redirected to other variants with…
more
redirects and converttitles set.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.