GHSA-xpv7-93cm-4mxv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xpv7-93cm-4mxv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xpv7-93cm-4mxv/GHSA-xpv7-93cm-4mxv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xpv7-93cm-4mxv
- Aliases
- Published
- 2022-05-24T17:21:40Z
- Modified
- 2024-12-02T05:51:39.267984Z
- Summary
- img_auth.php may leak private extension images into the public cache
- Details
-
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.
- Database specific
{ "nvd_published_at": "2020-06-24T23:15:00Z", "github_reviewed_at": "2024-11-01T23:09:01Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-15005
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_31/RELEASE-NOTES-1.31
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_33/RELEASE-NOTES-1.33
- https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_34/RELEASE-NOTES-1.34
- https://github.com/wikimedia/mediawiki
- https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEZIMLJMJS72SJXPYL736XMUAVCRQD2H
- https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.html
- https://phabricator.wikimedia.org/T248947
- https://www.debian.org/security/2020/dsa-4767
Affected packages
Packagist / mediawiki/core
Package
- Name
- mediawiki/core
- Purl
- pkg:composer/mediawiki/core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.31.8
Affected versions
1.*
1.20.3
1.20.4
1.20.5
1.20.6
1.20.7
1.20.8
1.21.0
1.21.1
1.21.2
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
1.21.8
1.21.9
1.21.10
1.21.11
1.22.0rc0
1.24.0-rc.0
1.24.0-rc.1
1.24.0-rc.2
1.24.0-rc.3
1.24.0
1.24.1
1.24.2
1.24.3
1.24.4
1.24.5
1.24.6
1.25.0-rc.0
1.25.0
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.27.0-rc.0
1.27.0-rc.1
1.27.0
1.27.1
1.27.2
1.27.3
1.27.4
1.27.5
1.27.6
1.27.7
1.28.0-rc.0
1.28.0-rc.1
1.28.0
1.28.1
1.28.2
1.28.3
1.29.0-rc.0
1.29.0-rc.1
1.29.0
1.29.1
1.29.2
1.29.3
1.30.0-rc.0
1.30.0
1.30.1
1.30.2
1.31.0-rc.0
1.31.0-rc.1
1.31.0-rc.2
1.31.0
1.31.1
1.31.2
1.31.3
1.31.4
1.31.5
1.31.6
1.31.7
Packagist / mediawiki/core
Package
- Name
- mediawiki/core
- Purl
- pkg:composer/mediawiki/core
Packagist / mediawiki/core
Package
- Name
- mediawiki/core
- Purl
- pkg:composer/mediawiki/core