Page MenuHomePhabricator
Create Task
Maniphest T205048

Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases
Closed, ResolvedPublic
Actions

Description

T197279 - Directly POSTing to Special:ChangeEmail would allow for bypassing reauthentication, allowing for potential account takeover.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

CVE-2019-12468

T204729 - Passing invalid titles to the API could cause a DoS by querying the entire watchlist table.

Vulnerability type: Other

Affects all MediaWiki versions since 1.27.0 (Jun 2016)

CVE-2019-12473

T207603 - Loading user JavaScript from a non-existent account allows anyone to create the account, and XSS the users' loading that script.

Vulnerability type: XSS

Affects all MediaWiki versions since 1.3.0 (August 2004) if $wgAllowUserJs is enabled (it defaults to false since 1.3.10).

CVE-2019-12471

T199540 - It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions since 1.18.0 (November 2011).

CVE-2019-12472

T212118 - Privileged API responses that include whether a recent change has been patrolled may be cached publicly

Vulnerability type: Other

Affects all MediaWiki versions since 1.23.0 (June 2014).

CVE-2019-12474

T209794 - A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them.

Vulnerability type: Incorrect Access Controls

Affects all MediaWiki versions. (I think...)

CVE-2019-12467

T25227 - An account can be logged out without using a token (CSRF)

Vulnerability type:

Affects all MediaWiki versions.

CVE-2019-12466

T222036 - Exposed suppressed username or log in Special:EditTags

Vulnerability type: Incorrect Access Controls

CVE-2019-12469

T222038 - Exposed suppressed log in RevisionDelete page

Vulnerability type: Incorrect Access Controls

Affects

CVE-2019-12470

Not requesting a CVE for T208881 which seems like an issue in browsers, not MediaWiki.

Not requesting a CVE for T207916, which is about improving our auditing and logging.

Related Objects
Search...

Event Timeline

Reedy created this task.Sep 20 2018, 10:00 PM
Reedy created this object with visibility "Custom Policy".
Reedy renamed this task from Obtain CVEs for 1.27.6/1.30.2/1.31.2 security releases to Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.1 security releases.Feb 13 2019, 2:25 AM
Legoktm assigned this task to MoritzMuehlenhoff.Apr 7 2019, 11:48 PM
Legoktm updated the task description. (Show Details)
MoritzMuehlenhoff added a comment.Apr 8 2019, 1:40 PM

There has been some change on the side of MITRE and their CNA handling, as a consequence Debian now only assigns CVE IDs for Debian-specific tools (like dpkg/apt) and Debian-specific vulnerabilities (e.g. if an issue is specific to a Debian patch or to e.g. a custom config/systemd unit) and no longer to all FLOSS packages shipped in Debian :-/

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication. Do we have an ETA for the next mediawiki security release?

Jdforrester-WMF subscribed.Apr 9 2019, 9:31 PM
jbond subscribed.Apr 16 2019, 9:32 AM
Reedy removed MoritzMuehlenhoff as the assignee of this task.Apr 30 2019, 3:58 PM
Reedy added a subscriber: MoritzMuehlenhoff.
Rxy subscribed.Apr 30 2019, 4:00 PM
Reedy renamed this task from Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.1 security releases to Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.Apr 30 2019, 6:30 PM
Reedy updated the task description. (Show Details)May 29 2019, 12:04 AM
Reedy added a comment.May 29 2019, 12:07 AM
In T205048#5093504, @MoritzMuehlenhoff wrote:

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication.

Thanks for the heads up... "easy!" ;)

We just need to assign one of these categories to them and we can request the CVE's

Screenshot 2019-05-29 at 01.05.22.png (1×1 px, 373 KB)

Reedy updated the task description. (Show Details)May 29 2019, 12:09 AM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)May 29 2019, 12:13 AM
Reedy updated the task description. (Show Details)May 30 2019, 2:29 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)
Reedy added a comment.May 30 2019, 2:42 PM

Request 697877 sent...

Reedy closed this task as Resolved.EditedMay 30 2019, 5:17 PM
Reedy claimed this task.
> [Suggested description]
> MediaWiki through 1.32.1 allows CSRF.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12466.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12467.


> [Suggested description]
> MediaWiki 1.27.0 through 1.32.1 has Incorrect Access Control.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.27.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12468.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 2 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12469.


> [Suggested description]
> MediaWiki through 1.32.1 has Incorrect Access Control (issue 3 of 3).
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - *
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12470.


> [Suggested description]
> MediaWiki 1.3.0 through 1.32.1 has XSS.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Scripting (XSS)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.3.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12471.


> [Suggested description]
> MediaWiki 1.18.0 through 1.32.1 has Incorrect Access Control.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Incorrect Access Control
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.18.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12472.


> [Suggested description]
> MediaWiki 1.27.0 through 1.32.1 might allow DoS.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Potential DoS
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.27.0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12473.


> [Suggested description]
> MediaWiki 1.23.0 through 1.32.1 has an information leak.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Infoleak
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Wikimedia
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> MediaWiki - >= 1.23.0
> 
> ------------------------------------------
> 
> [Reference]
> https://lists.wikimedia.org/pipermail/mediawiki-announce/

Use CVE-2019-12474.
Reedy updated the task description. (Show Details)May 30 2019, 5:22 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)May 30 2019, 5:25 PM
Reedy added a parent task: T225149: Update CVEs and publish them.Jun 5 2019, 8:59 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:02 PM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits