CVE-2022-29906 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2022-29906?

CVE-2022-29906 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authorization checks in the QuizGame extension for MediaWiki, granting unauthorized access to admin API functions. Any MediaWiki installation with the QuizGame extension enabled is affected. Attackers can perform administrative actions without proper authentication.

📋 TL;DR

This vulnerability allows attackers to bypass authorization checks in the QuizGame extension for MediaWiki, granting unauthorized access to admin API functions. Any MediaWiki installation with the QuizGame extension enabled is affected. Attackers can perform administrative actions without proper authentication.

💻 Affected Systems

Products:

MediaWiki QuizGame Extension

Versions: MediaWiki versions through 1.37.2 with QuizGame extension before commit 665e33a68f6fa1167df99c0aa18ed0157cdf9f66

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the QuizGame extension enabled. The vulnerability is in the extension's admin API module.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the MediaWiki instance through unauthorized administrative actions, potentially leading to data manipulation, privilege escalation, or site defacement.

🟠

Likely Case

Unauthorized users gain administrative privileges within the QuizGame extension, allowing them to manipulate quiz content, user scores, or game settings.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized users from reaching the vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the admin API endpoint but bypasses the quizadmin user check. No authentication is required for the vulnerable check.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MediaWiki QuizGame extension commit 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 or later

Vendor Advisory: https://phabricator.wikimedia.org/T302199

Restart Required: No

Instructions:

1. Update MediaWiki to version 1.37.3 or later. 2. Update QuizGame extension to commit 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 or later. 3. Clear MediaWiki cache if applicable.

🔧 Temporary Workarounds

Disable QuizGame Extension

all

Temporarily disable the vulnerable QuizGame extension until patching is possible.

Edit LocalSettings.php and comment out or remove: wfLoadExtension('QuizGame');

Restrict API Access

linux

Implement network-level restrictions to limit access to the admin API endpoint.

Configure web server (Apache/Nginx) to restrict access to /api.php endpoints to trusted IPs only.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the MediaWiki instance.
Monitor admin API logs for unauthorized access attempts and implement alerting.

🔍 How to Verify

Check if Vulnerable:

Check if QuizGame extension is enabled and version is before commit 665e33a68f6fa1167df99c0aa18ed0157cdf9f66.

Check Version:

Check MediaWiki's Special:Version page or examine extension files for commit hash.

Verify Fix Applied:

Verify QuizGame extension is updated to commit 665e33a68f6fa1167df99c0aa18ed0157cdf9f66 or later.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to QuizGame admin API endpoints
Unexpected quizadmin privilege usage

Network Indicators:

Unusual API requests to /api.php with quiz-related parameters

SIEM Query:

source="mediawiki.log" AND ("QuizGame" OR "quizadmin") AND ("unauthorized" OR "admin" OR "api")

📊 Metadata

CVE ID: CVE-2022-29906

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: April 29, 2022

Last Updated: November 21, 2024

🔗 References

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651 Vendor Advisory
https://phabricator.wikimedia.org/T302199 Exploit,Patch,Third Party Advisory
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651 Vendor Advisory
https://phabricator.wikimedia.org/T302199 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29906, you might also want to check these: