Page MenuHomePhabricator

Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases
Closed, ResolvedPublic

Description

T197279 - Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

CVE-2019-12468


T204729 - Passing invalid titles to the API could cause a DoS by querying the entire watchlist table.

Vulnerability type: Other

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

CVE-2019-12473


T207603 - Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.

Vulnerability type: XSS

Affects all MediaWiki versions since 1.3.0 (August 2004) if $wgAllowUserJs is enabled (it defaults to false since 1.3.10).

CVE-2019-12471


T199540 - It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions since 1.18.0 (November 2011).

CVE-2019-12472


T212118 - Privileged API responses that include whether a recent change has been patrolled may be cached publicly

Vulnerability type: Other

Affects all MediaWiki versions since 1.23.0 (June 2014).

CVE-2019-12474


T209794 - A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions. (I think...)

CVE-2019-12467


T25227 - An account can be logged out without using a token (CSRF)

Vulnerability type:

Affects all MediaWiki versions.

CVE-2019-12466


T222036 - Exposed suppressed username or log in Special:EditTags

Vulnerability type: Incorrect Access Controls

CVE-2019-12469


T222038 - Exposed suppressed log in RevisionDelete page

Vulnerability type: Incorrect Access Controls

Affects

CVE-2019-12470


Not requesting a CVE for T208881 which seems like an issue in browsers, not MediaWiki.

Not requesting a CVE for T207916, which is about improving our auditing and logging.

Event Timeline

Reedy created this task.Sep 20 2018, 10:00 PM
Reedy created this object with visibility "Custom Policy".
Reedy renamed this task from Obtain CVEs for 1.27.6/1.30.2/1.31.2 security releases to Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.1 security releases.Feb 13 2019, 2:25 AM
Legoktm updated the task description. (Show Details)

There has been some change on the side of MITRE and their CNA handling, as a consequence Debian now only assigns CVE IDs for Debian-specific tools (like dpkg/apt) and Debian-specific vulnerabilities (e.g. if an issue is specific to a Debian patch or to e.g. a custom config/systemd unit) and no longer to all FLOSS packages shipped in Debian :-/

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication. Do we have an ETA for the next mediawiki security release?

jbond added a subscriber: jbond.Apr 16 2019, 9:32 AM
Reedy removed MoritzMuehlenhoff as the assignee of this task.Apr 30 2019, 3:58 PM
Reedy added a subscriber: MoritzMuehlenhoff.
Rxy added a subscriber: Rxy.Apr 30 2019, 4:00 PM
Reedy renamed this task from Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.1 security releases to Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.Apr 30 2019, 6:30 PM
Reedy updated the task description. (Show Details)May 29 2019, 12:04 AM

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication.

Thanks for the heads up... "easy!" ;)

We just need to assign one of these categories to them and we can request the CVE's

Reedy updated the task description. (Show Details)May 29 2019, 12:09 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)May 29 2019, 12:13 AM
Reedy updated the task description. (Show Details)May 30 2019, 2:29 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy added a comment.May 30 2019, 2:42 PM

Request 697877 sent...

Reedy closed this task as Resolved.EditedMay 30 2019, 5:17 PM
Reedy claimed this task.
> [Suggested description]
> MediaWiki through 1.32.1 allows CSRF.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12466.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12467.


> [Suggested description]
> MediaWiki 1.27.0 through 1.32.1 has Incorrect Access Control.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.27.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12468.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 2 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12469.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 3 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12470.


> [Suggested description]
> MediaWiki 1.3.0 through 1.32.1 has XSS.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Scripting (XSS)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.3.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12471.


> [Suggested description]
> MediaWiki 1.18.0 through 1.32.1 has Incorrect Access Control.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.18.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12472.


> [Suggested description]
> MediaWiki 1.27.0 through 1.32.1 might allow DoS.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Potential DoS
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.27.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12473.


> [Suggested description]
> MediaWiki 1.23.0 through 1.32.1 has an information leak.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Infoleak
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.23.0
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12474.
Reedy updated the task description. (Show Details)May 30 2019, 5:22 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)May 30 2019, 5:25 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:02 PM