CVE-2024-34502
📋 TL;DR
This vulnerability allows unauthenticated attackers to merge lexemes in WikibaseLexeme without proper authorization. It affects MediaWiki installations with the WikibaseLexeme extension enabled. The issue occurs when Special:MergeLexemes processes requests without requiring POST method or edit tokens.
💻 Affected Systems
- MediaWiki with WikibaseLexeme extension
📦 What is this software?
Fedora by Fedoraproject
Mediawiki by Mediawiki
Mediawiki by Mediawiki
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated remote attackers could merge arbitrary lexemes, corrupting linguistic data and potentially causing data loss or inconsistency in lexeme databases.
Likely Case
Unauthorized users could merge lexemes they shouldn't have access to, disrupting linguistic data integrity and potentially affecting downstream applications relying on this data.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users who could still perform unauthorized merges within their access scope.
🎯 Exploit Status
The vulnerability is a CSRF-type issue (CWE-352) where actions can be triggered without proper request validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.39.6, 1.40.2, or 1.41.1
Vendor Advisory: https://phabricator.wikimedia.org/T357101
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.39.6, 1.40.2, or 1.41.1 or later. 2. Alternatively, update the WikibaseLexeme extension to the latest version. 3. No service restart required for MediaWiki updates.
🔧 Temporary Workarounds
Disable WikibaseLexeme extension
allTemporarily disable the vulnerable extension until patching is possible
Edit LocalSettings.php and comment out or remove: wfLoadExtension('WikibaseLexeme');
Restrict access to Special:MergeLexemes
linuxUse web server rules to block access to the vulnerable endpoint
For Apache: <Location "/wiki/Special:MergeLexemes">
Require all denied
</Location>
For Nginx: location ~ ^/wiki/Special:MergeLexemes { deny all; }
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the MediaWiki instance
- Monitor logs for unauthorized access attempts to Special:MergeLexemes endpoint
🔍 How to Verify
Check if Vulnerable:
Check if WikibaseLexeme extension is enabled and MediaWiki version is in affected range. Access Special:MergeLexemes without authentication to test.Check Version:
Check MediaWiki version via Special:Version page or grep 'wgVersion' in LocalSettings.phpVerify Fix Applied:
After update, verify MediaWiki version is 1.39.6, 1.40.2, 1.41.1 or later. Test that Special:MergeLexemes requires proper authentication and POST requests.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /wiki/Special:MergeLexemes
- GET requests to merge endpoints that should only accept POST
- Unexpected lexeme merge operations
Network Indicators:
- HTTP requests to Special:MergeLexemes without authentication tokens
- Non-POST requests to merge endpoints
SIEM Query:
source="mediawiki_logs" AND (url_path="/wiki/Special:MergeLexemes" AND (http_method!="POST" OR user="-"))🔗 References
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/1013359
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
- https://phabricator.wikimedia.org/T357101
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/1013359
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
- https://phabricator.wikimedia.org/T357101
