Login Sign Up

CVE-2022-28205

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

A critical vulnerability in MediaWiki's CentralAuth extension allows improper handling of group expiration timestamps (TTL), potentially enabling privilege escalation. This affects MediaWiki installations with CentralAuth extension enabled. Attackers could gain unauthorized administrative access to the wiki system.

💻 Affected Systems

Products:
  • MediaWiki with CentralAuth extension
Versions: MediaWiki through 1.37.1 with CentralAuth extension
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with CentralAuth extension enabled. Single-wiki installations without CentralAuth are not vulnerable.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation to administrator level, allowing data manipulation, content deletion, or installation of backdoors.

🟠

Likely Case

Unauthorized access to sensitive wiki content, user data exposure, and privilege escalation to edit-protected pages.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, but still represents authentication bypass risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires some authentication access to exploit the TTL handling issue. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki 1.37.2 or later

Vendor Advisory: https://phabricator.wikimedia.org/T302248

Restart Required: No

Instructions:

1. Update MediaWiki to version 1.37.2 or later. 2. Update CentralAuth extension if using separate extension installation. 3. Clear MediaWiki cache. 4. Verify group permissions are functioning correctly.

🔧 Temporary Workarounds

Disable CentralAuth Extension

all

Temporarily disable CentralAuth extension if not essential for operations

Edit LocalSettings.php and comment out or remove: wfLoadExtension('CentralAuth');

Restrict Group Management

all

Tighten group permission controls and audit group membership changes

Review and restrict $wgGroupPermissions settings in LocalSettings.php

🧯 If You Can't Patch

  • Implement strict access controls and monitor group permission changes
  • Deploy web application firewall rules to detect authentication anomalies

🔍 How to Verify

Check if Vulnerable:

Check MediaWiki version with: php includes/DefaultSettings.php | grep wgVersion. If version is 1.37.1 or earlier and CentralAuth is enabled, system is vulnerable.

Check Version:

php includes/DefaultSettings.php | grep wgVersion

Verify Fix Applied:

Verify MediaWiki version is 1.37.2 or later and test group permission functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected group permission changes
  • Authentication events with unusual TTL values
  • CentralAuth extension errors

Network Indicators:

  • Unusual authentication requests to CentralAuth endpoints

SIEM Query:

source="mediawiki.log" AND ("CentralAuth" OR "group change" OR "permission escalation")

📊 Metadata

CVE ID: CVE-2022-28205
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON