CVE-2022-28205 in MediaWiki
Summary
by MITRE • 03/30/2022
An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2022-28205 resides within the MediaWiki platform, specifically affecting versions through 1.37.1 and impacting the CentralAuth extension. This extension serves as a critical component for managing user authentication across multiple wiki instances within a MediaWiki federation, enabling centralized account management and cross-wiki authentication. The flaw manifests in how the system handles time-to-live parameters for group memberships that are scheduled to expire in the future, creating a potential security risk that could affect user access control and authentication workflows across interconnected wiki environments.
The technical implementation issue stems from improper handling of temporal group expiration logic within the CentralAuth extension's database management and access control mechanisms. When user groups are configured with future expiration dates, the system fails to correctly process or validate these time-based parameters, potentially leading to incorrect group membership states. This malfunction occurs during the routine maintenance and validation processes that occur when checking group memberships against their defined expiration timelines. The vulnerability likely involves inadequate input validation or flawed timestamp comparison algorithms that do not properly account for future expiration scenarios, allowing for potential bypass of intended access restrictions.
The operational impact of this vulnerability extends beyond simple access control issues and could enable unauthorized privilege escalation or persistent access to restricted resources. Attackers who can exploit this flaw might gain continued access to wiki features or content that should have been restricted after group expiration, potentially compromising the integrity of multi-wiki federations where CentralAuth manages user identities. The vulnerability affects the core authentication and authorization framework, meaning that any wiki instance relying on CentralAuth for user management could be at risk. This poses significant concerns for organizations using MediaWiki for collaborative environments, knowledge bases, or content management systems where proper access control is paramount, as the flaw could allow malicious actors to maintain elevated privileges beyond their intended expiration dates.
Mitigation strategies for CVE-2022-28205 should prioritize immediate upgrade to MediaWiki version 1.37.2 or later, which contains the patched implementation for proper group expiration handling. Organizations should also implement monitoring of user group membership changes and expiration dates to detect any anomalous behavior that might indicate exploitation attempts. Security teams should conduct comprehensive audits of their CentralAuth configurations to identify any improperly configured group expiration settings that could exacerbate the vulnerability. The fix addresses the underlying CWE-617 vulnerability category related to reachable assertions and improper validation of expiration timestamps, aligning with ATT&CK technique T1078.004 for valid accounts and privilege escalation through authentication system manipulation. Additionally, implementing proper logging and alerting mechanisms around group membership modifications will help detect potential exploitation attempts and provide forensic evidence for incident response activities.