CVE-2024-29883 in CreateWikiinfo

Summary

by MITRE • 03/26/2024

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/02/2026

The vulnerability identified as CVE-2024-29883 affects CreateWiki, a MediaWiki extension developed by Miraheze for managing wiki creation requests and deployments. This extension serves as a centralized system for users to request new wikis while providing administrative controls for managing these requests. The core functionality of CreateWiki includes handling wiki request workflows, managing user permissions, and controlling access to sensitive information related to pending wiki creations. The system operates under the assumption that administrators can configure specific visibility settings for individual wiki requests, allowing them to control which users or groups can access particular request details. This administrative capability is fundamental to maintaining proper information governance and preventing unauthorized access to sensitive operational data.

The technical flaw resides in the implementation of access control mechanisms within the CreateWiki extension's suppression functionality. When administrators attempt to configure visibility settings for specific wiki requests, the system fails to properly respect these configurations. Instead of honoring the intended access controls set by administrators, the extension enforces a hardcoded restriction that only allows users possessing the explicit `(createwiki)` user right to view any wiki request information. This represents a critical breakdown in the principle of least privilege and demonstrates a failure in access control implementation. The vulnerability manifests as a bypass of intended authorization checks, effectively undermining the security model that should allow granular control over request visibility. This flaw directly violates security design principles and creates an unintended information disclosure scenario.

The operational impact of this vulnerability extends beyond simple information exposure to encompass broader security implications for organizations relying on CreateWiki for wiki management. Administrators who configure wiki request visibility settings to restrict access to specific user groups or roles will find their configurations ignored, potentially exposing sensitive information about pending wiki creations to unauthorized personnel. This includes details about requested content, user intentions, and organizational planning information that might be considered confidential. The vulnerability affects both the confidentiality and integrity of the system by allowing unauthorized access to information that should remain restricted. In environments where wiki requests might contain sensitive business information, competitive intelligence, or organizational planning details, this exposure could lead to significant operational risks and potential compliance violations.

Mitigation strategies for this vulnerability should focus on immediate code-level fixes to address the access control bypass. The most effective approach involves implementing proper authorization checks that respect the configured visibility settings for each wiki request rather than enforcing a hard-coded restriction. Organizations should also implement monitoring and auditing procedures to detect unauthorized access attempts and ensure proper access control enforcement. Security teams should review existing access control configurations and validate that the intended visibility settings are properly enforced. This vulnerability aligns with CWE-284, which addresses improper access control, and could be categorized under ATT&CK technique T1078 for valid accounts and privilege escalation. Additionally, the issue demonstrates characteristics of CWE-352, representing a cross-site request forgery vulnerability that could be exploited to manipulate access control settings. Regular security assessments and code reviews should be implemented to prevent similar access control bypass vulnerabilities in the future.

Responsible

GitHub, Inc.

Reservation

03/21/2024

Disclosure

03/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00603

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!