Wikimedia Foundation MediaWiki IPInfo Extension Uncontrolled Resource Consumption Vulnerability

A denial-of-service vulnerability has been identified in the Wikimedia Foundation MediaWiki IPInfo Extension, specifically in versions 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2. This vulnerability allows for excessive resource allocation, leading to uncontrolled resource consumption.

Impact

Exploitation of this vulnerability causes a significant increase in MySQL query time, with some queries taking up to 58 seconds to process. This delay can disrupt normal operations and user experience.

Reproduction

The vulnerability can be reproduced by accessing the IPInfo tool for an IP address that has no contributions, such as a specific IPv6 address. This triggers a series of database queries that check various tables for IP-related data. The queries are slow because they either scan large tables without using efficient indexes or process data in a way that consumes excessive resources.

Remediation

Users can update to MediaWiki IPInfo Extension versions 1.39.13, 1.42.7, or 1.43.2 to address this vulnerability.