Login Sign Up

CVE-2021-41801

8.8 HIGH

📋 TL;DR

This vulnerability in MediaWiki's ReplaceText extension allows blocked users to still execute previously submitted text replacement jobs through the job queue. It affects MediaWiki installations using ReplaceText extension versions up to 1.41. The issue enables unauthorized content modification even after user privileges have been revoked.

💻 Affected Systems

Products:
  • MediaWiki ReplaceText Extension
Versions: All versions through 1.41
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects MediaWiki installations with ReplaceText extension enabled and using job queue system.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Blocked malicious users could modify sensitive content across the wiki, potentially defacing pages, inserting malicious code, or altering critical information.

🟠

Likely Case

Blocked users with pending replacement jobs could unintentionally or maliciously modify wiki content they should no longer have access to edit.

🟢

If Mitigated

With proper monitoring and job queue management, impact is limited to delayed unauthorized edits that can be detected and reverted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a user account with ReplaceText privileges that gets blocked after job submission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ReplaceText extension version 1.42+

Vendor Advisory: https://phabricator.wikimedia.org/T279090

Restart Required: No

Instructions:

1. Update ReplaceText extension to version 1.42 or later. 2. Update via MediaWiki extension manager or manually replace extension files. 3. No MediaWiki core update required.

🔧 Temporary Workarounds

Disable ReplaceText Extension

all

Temporarily disable the vulnerable extension until patched

Remove or comment out wfLoadExtension('ReplaceText'); from LocalSettings.php

Clear Job Queue After Blocking Users

all

Manually remove pending jobs from blocked users

DELETE FROM job WHERE job_cmd = 'replaceText' AND job_user = [BLOCKED_USER_ID]

🧯 If You Can't Patch

  • Implement strict monitoring of job queue and user blocking events
  • Disable ReplaceText functionality for all non-admin users

🔍 How to Verify

Check if Vulnerable:

Check ReplaceText extension version in MediaWiki's Special:Version page or extension directory

Check Version:

grep -r 'ReplaceText.*version' /path/to/mediawiki/extensions/ReplaceText/

Verify Fix Applied:

Confirm ReplaceText extension version is 1.42 or higher in Special:Version

📡 Detection & Monitoring

Log Indicators:

  • Job queue executions by blocked users
  • ReplaceText jobs running after user blocking events

Network Indicators:

  • Unusual pattern of text replacement API calls

SIEM Query:

source="mediawiki_logs" AND (event="job_run" OR event="user_blocked") | stats count by user

📊 Metadata

CVE ID: CVE-2021-41801
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: October 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON