Can you explain this vulnerability to me?

This vulnerability exists in the DiscordNotifications extension for MediaWiki, which sends notifications to Discord channels. It allows attackers to send requests to arbitrary URLs via curl and file_get_contents functions configured by certain webhook URL settings. This can lead to Denial of Service (DoS) by making the server read large files. Additionally, Server-Side Request Forgery (SSRF) is possible if internal unprotected APIs are accessible via HTTP POST requests, potentially leading to Remote Code Execution (RCE).

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can impact you by causing Denial of Service (DoS) on your server due to excessive resource consumption from reading large files. It also exposes your system to SSRF attacks, which may allow attackers to access internal APIs that are not protected. In the worst case, this could lead to Remote Code Execution (RCE), allowing attackers to execute arbitrary code on your server.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Apply the fix introduced in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e to the DiscordNotifications extension for MediaWiki to prevent the vulnerability. Until the fix is applied, avoid setting or using arbitrary URLs in $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls to prevent DOS, SSRF, and potential RCE attacks.

Useful 0 Not Useful 0