CVE-2024-47849 – This SQL injection vulnerability in MediaWiki's... (How to Fix)

Q: What is the severity of CVE-2024-47849?

CVE-2024-47849 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in MediaWiki's Cargo extension allows attackers to execute arbitrary SQL commands on the database. It affects MediaWiki installations using the Cargo extension version 3.6.X before 3.6.1. Attackers could potentially read, modify, or delete database contents.

📋 TL;DR

This SQL injection vulnerability in MediaWiki's Cargo extension allows attackers to execute arbitrary SQL commands on the database. It affects MediaWiki installations using the Cargo extension version 3.6.X before 3.6.1. Attackers could potentially read, modify, or delete database contents.

💻 Affected Systems

Products:

MediaWiki Cargo extension

Versions: 3.6.X before 3.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MediaWiki installations with the Cargo extension enabled. Base MediaWiki without Cargo is not affected.

📦 What is this software?

Cargo by Mediawiki

View all CVEs affecting Cargo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the MediaWiki application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data reading from accessible tables.

🌐 Internet-Facing: HIGH - MediaWiki instances are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal instances could still be exploited by malicious insiders or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity. The vulnerability appears to require some level of access to MediaWiki functions that use Cargo.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1

Vendor Advisory: https://phabricator.wikimedia.org/T368628

Restart Required: No

Instructions:

1. Update the Cargo extension to version 3.6.1 or later. 2. For MediaWiki installations using Composer: run 'composer update mediawiki/cargo'. 3. For manual installations: download and replace the Cargo extension files from the official repository.

🔧 Temporary Workarounds

Disable Cargo Extension

all

Temporarily disable the Cargo extension if immediate patching is not possible.

Edit LocalSettings.php and remove or comment out: wfLoadExtension('Cargo');

Web Application Firewall

all

Implement WAF rules to block SQL injection patterns targeting Cargo endpoints.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries for all Cargo-related functionality
Restrict database user permissions to minimum required for Cargo operations

🔍 How to Verify

Check if Vulnerable:

Check Cargo extension version in MediaWiki's Special:Version page or examine the Cargo extension directory for version files.

Check Version:

grep -r 'CARGO_VERSION' /path/to/mediawiki/extensions/Cargo/ || cat /path/to/mediawiki/extensions/Cargo/extension.json | grep version

Verify Fix Applied:

Verify Cargo extension version is 3.6.1 or later via Special:Version page or check that the vulnerability-specific code changes from the patch are present.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by Cargo-related requests
Requests with SQL syntax in Cargo-related parameters

Network Indicators:

Unusual patterns of requests to Cargo API endpoints
Requests containing SQL keywords like UNION, SELECT, INSERT in URL parameters

SIEM Query:

source="web_server_logs" AND (url="*Cargo*" OR url="*cargo*") AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*")

📊 Metadata

CVE ID: CVE-2024-47849

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 5, 2024

Last Updated: October 16, 2024

🔗 References

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1055963 Patch
https://phabricator.wikimedia.org/T368628 Issue Tracking,Vendor Advisory
https://phabricator.wikimedia.org/T370632 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47849, you might also want to check these: