CVE-2015-8627

MEDIUM

Mediawiki < 1.23.11 - Improper Access Control

Title source: rule

Description

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed.

References (4)

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/12/21/8

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2015/12/23/7

[Patch, Release Notes, Vendor Advisory] https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html

[Patch, Third Party Advisory] https://phabricator.wikimedia.org/T97897

Scores

CVSS v3 5.3

EPSS 0.0043

EPSS Percentile 62.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-284

Status published

Affected Products (12)

mediawiki/mediawiki < 1.23.11

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

mediawiki/mediawiki

n/a/n/a

Timeline

Published Mar 23, 2017

Tracked Since Feb 18, 2026