Page MenuHomePhabricator
Create Task
Maniphest T248541

Obtain CVEs for 1.31.8/1.33.4/1.34.2 security releases
Closed, ResolvedPublic
Actions

Description

T248947: img_auth.php may leak private extension images into the public cache (CVE-2020-15005): In MediaWiki before 1.31.8/1.33.4/1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. All MediaWiki versions since 1.23.0 are vulnerable.

Related Objects
Search...

Event Timeline

Reedy created this task.Mar 26 2020, 12:37 AM
Reedy edited projects, added MediaWiki-Releasing; removed Security-Team.Mar 26 2020, 12:39 AM
Reedy changed the subtype of this task from "Security Issue" to "Task".
Legoktm claimed this task.Jun 24 2020, 3:44 AM
Legoktm updated the task description. (Show Details)
Legoktm closed this task as Resolved.Jun 24 2020, 11:20 AM

CVE-2020-15005

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 24 2020, 4:59 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy mentioned this in T256341: Obtain CVEs for 1.31.9/1.34.3/1.35.0 security releases.Aug 26 2020, 4:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits