Page MenuHomePhabricator
Create Task
Maniphest T306174

add to extension supplement for CreateRedirect Auth issues (CVE-2022-29547)
Closed, ResolvedPublic
Actions

Description

Making public since was reported public and pushed through gerrit.

Please request a CVE & add to next supplement for the issues reported in https://www.mediawiki.org/wiki/Extension_talk:CreateRedirect & https://phabricator.miraheze.org/T9061 that were fixed with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CreateRedirect/+/780567

This extension had insufficient permissions checks.

Related Objects

Event Timeline

RhinosF1 created this task.Apr 14 2022, 11:13 AM
Restricted Application added a project: User-RhinosF1. · View Herald TranscriptApr 14 2022, 11:13 AM
Restricted Application added subscribers: Reception123, Aklapper. · View Herald Transcript
dmehus moved this task from Radar to Miraheze-Linked on the User-RhinosF1 board.Apr 17 2022, 4:38 AM
sbassett mentioned this in T305209: Write and send supplementary release announcement for extensions and skins with security patches (1.35.7/1.37.3/1.38.2).Apr 18 2022, 4:12 PM
sbassett closed this task as Resolved.Apr 18 2022, 4:27 PM
sbassett claimed this task.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a subscriber: sbassett.

Hey @RhinosF1 -

I've got this tracked for the next supplemental security release here: T305209. We'll plan to request a CVE for it by the end of this quarter (June 2022) though if anybody else would like to handle that sooner, that's fine. Looks like the backports are all merged as well, so that's good. I'm going to resolve this for now since I don't believe there's anything else actionable at this time.

Maintenance_bot moved this task from Miraheze-Linked to Done on the User-RhinosF1 board.Apr 18 2022, 4:29 PM
RhinosF1 added a comment.Apr 18 2022, 4:30 PM

That's fine. I'm only used to GitHub's CVE process. If there's anyway we can help you, do let me know.

sbassett added a comment.EditedApr 18 2022, 5:12 PM
In T306174#7861455, @RhinosF1 wrote:

That's fine. I'm only used to GitHub's CVE process. If there's anyway we can help you, do let me know.

tbh, the Security-Team typically just uses https://cveform.mitre.org/. We had talked about becoming a CNA at one point, but never did.

RhinosF1 renamed this task from Request CVE & add to extension supplement for CreateRedirect Auth issues to add to extension supplement for CreateRedirect Auth issues (CVE-REQUESTED).Apr 18 2022, 5:22 PM
RhinosF1 added a comment.Apr 18 2022, 5:28 PM

Mitre ref CVE Request 1252146 for CVE ID Request

RhinosF1 renamed this task from add to extension supplement for CreateRedirect Auth issues (CVE-REQUESTED) to add to extension supplement for CreateRedirect Auth issues (CVE-2022-29547).Apr 21 2022, 5:57 AM

@sbassett: assigned

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL