An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt.
{
"unresolved_ranges": [
{
"source": "DESCRIPTION",
"extracted_events": [
{
"fixed": "1.35.9"
},
{
"introduced": "1.36.x"
},
{
"fixed": "1.38.x"
},
{
"fixed": "1.38.5"
},
{
"introduced": "1.39.x"
},
{
"fixed": "1.39.1"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22912.json",
"cna_assigner": "mitre"
}{
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*",
"cpe:2.3:a:mediawiki:mediawiki:1.39.0:-:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.35.9"
},
{
"introduced": "1.36.0"
},
{
"fixed": "1.38.5"
},
{
"introduced": "1.39.0-NA"
},
{
"last_affected": "1.39.0-NA"
}
]
}