PT-2020-6807 · Mediawiki+1 · Mediawiki+1
Tim Starling
+1
·
Published
2020-06-24
·
Updated
2024-03-06
·
CVE-2020-15005
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.31.8
MediaWiki versions 1.32.x
MediaWiki versions 1.33.x prior to 1.33.4
MediaWiki versions 1.34.x prior to 1.34.2
Description
The issue concerns private wikis behind a caching server that use the img auth.php image authorization security feature. Due to mishandled Cache-Control and Vary headers, files may have been cached publicly, allowing any unauthorized user to view them. This results in the potential disclosure of protected information.
Recommendations
For MediaWiki versions prior to 1.31.8, update to version 1.31.8 or later.
For MediaWiki versions 1.32.x, update to version 1.33.4 or later, or apply the necessary patches.
For MediaWiki versions 1.33.x prior to 1.33.4, update to version 1.33.4 or later.
For MediaWiki versions 1.34.x prior to 1.34.2, update to version 1.34.2 or later.
As a temporary workaround, consider restricting access to the img auth.php feature until a patch is applied.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki