Login Sign Up

CVE-2021-36128

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in MediaWiki's CentralAuth extension allows improper implementation of autoblocks for suppression blocks. Attackers could bypass account blocks or suppression mechanisms, affecting all MediaWiki installations using CentralAuth with the vulnerable versions.

💻 Affected Systems

Products:
  • MediaWiki
Versions: Through 1.36
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with CentralAuth extension enabled.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass global account blocks, allowing banned users to continue editing across wikis, potentially leading to vandalism, misinformation, or unauthorized content changes.

🟠

Likely Case

Targeted users who should be blocked can continue accessing and editing content, undermining moderation and security controls.

🟢

If Mitigated

With proper monitoring and layered security controls, impact is limited to potential unauthorized edits that can be detected and rolled back.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires understanding of CentralAuth block mechanisms but is technically straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.36.1 and later

Vendor Advisory: https://phabricator.wikimedia.org/T281972

Restart Required: No

Instructions:

1. Update MediaWiki to version 1.36.1 or later. 2. Apply the CentralAuth extension patches from the gerrit references. 3. Verify the fix by testing block functionality.

🔧 Temporary Workarounds

Disable CentralAuth Extension

all

Temporarily disable the CentralAuth extension to mitigate the vulnerability

Edit LocalSettings.php and comment out or remove 'wfLoadExtension( "CentralAuth" );'

Manual Block Monitoring

all

Implement enhanced monitoring of blocked users and manual verification of block effectiveness

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for all blocked user accounts
  • Deploy additional authentication layers and rate limiting for sensitive operations

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version and CentralAuth extension status. If version is 1.36 or earlier with CentralAuth enabled, system is vulnerable.

Check Version:

Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page

Verify Fix Applied:

Test block functionality by creating a suppression block and verifying autoblocks work correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected successful edits from blocked users
  • Failed block enforcement attempts
  • CentralAuth block-related errors

Network Indicators:

  • Unusual edit patterns from previously blocked IPs or accounts

SIEM Query:

source="mediawiki" AND (event="block bypass" OR user_status="blocked" AND action="edit")

📊 Metadata

CVE ID: CVE-2021-36128
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-755
Published: July 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36128, you might also want to check these:

CVE-2022-48328 9.8

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through misha...

Same vulnerability type (CWE-755)
CVE-2021-43272 9.8

This vulnerability allows remote code execution through malicious DWF files in Open Design Alliance ...

Same vulnerability type (CWE-755)
CVE-2022-23121 9.8

CVE-2022-23121 is a critical remote code execution vulnerability in Netatalk's AppleDouble parsing f...

Same vulnerability type (CWE-755)