Login Sign Up

CVE-2021-36126

9.8 CRITICAL
Authentication Bypass Denial of Service

📋 TL;DR

This vulnerability in MediaWiki's AbuseFilter extension causes a fatal error when both the content language and English versions of the MediaWiki:Abusefilter-blocker message are invalid. This prevents the filter from blocking or restricting potentially malicious users. All MediaWiki instances using the AbuseFilter extension through version 1.36 are affected.

💻 Affected Systems

Products:
  • MediaWiki with AbuseFilter extension
Versions: MediaWiki through 1.36
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the AbuseFilter extension. The vulnerability triggers when both language versions of the MediaWiki:Abusefilter-blocker message are invalid.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users bypass AbuseFilter protections entirely, allowing prohibited content, vandalism, or other policy violations without restriction.

🟠

Likely Case

AbuseFilter fails to block users who trigger filters, allowing policy violations that would normally be prevented.

🟢

If Mitigated

With proper monitoring and manual intervention, administrators can still catch and block malicious users, though automated protection is lost.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires triggering AbuseFilter conditions that would normally block a user, combined with invalid message configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.36.1 or later

Vendor Advisory: https://phabricator.wikimedia.org/T284364

Restart Required: No

Instructions:

1. Update MediaWiki to version 1.36.1 or later. 2. Ensure the AbuseFilter extension is updated if using a separate extension version. 3. Verify the MediaWiki:Abusefilter-blocker message exists and is valid in all configured languages.

🔧 Temporary Workarounds

Validate AbuseFilter Messages

all

Ensure MediaWiki:Abusefilter-blocker message exists and is valid in both content language and English

Disable AbuseFilter

all

Temporarily disable the AbuseFilter extension if patching is not immediately possible

Remove or comment out wfLoadExtension('AbuseFilter'); in LocalSettings.php

🧯 If You Can't Patch

  • Implement additional monitoring for user actions that would normally trigger AbuseFilter blocks
  • Increase manual review of recent changes and user activity

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version with Special:Version page. If version is 1.36 or earlier and AbuseFilter extension is enabled, the system is vulnerable.

Check Version:

Visit Special:Version in your MediaWiki installation or check includes/DefaultSettings.php for $wgVersion

Verify Fix Applied:

After updating to 1.36.1 or later, verify that AbuseFilter blocks users appropriately when triggered.

📡 Detection & Monitoring

Log Indicators:

  • PHP fatal errors related to AbuseFilter
  • Failed AbuseFilter blocking attempts
  • Users not being blocked despite triggering filter conditions

Network Indicators:

  • N/A

SIEM Query:

Search for 'AbuseFilter' AND ('fatal error' OR 'failed to block' OR 'invalid message') in application logs

📊 Metadata

CVE ID: CVE-2021-36126
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON