Bug 1369613 (CVE-2016-6331, CVE-2016-6332, CVE-2016-6333, CVE-2016-6334, CVE-2016-6335, CVE-2016-6336)
| Summary: | CVE-2016-6331 CVE-2016-6332 CVE-2016-6333 CVE-2016-6334 CVE-2016-6335 CVE-2016-6336 mediawiki: multiple flaws fixed in 1.27.1, 1.26.4 and 1.23.15 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jeremy Choi <jechoi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | extras-orphan, gwync, mike, puiterwijk |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mediawiki 1.27.1, mediawiki 1.26.4, mediawiki 1.23.15 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:57:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1369614, 1369615 | ||
| Bug Blocks: | |||
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1369614] Affects: epel-all [bug 1369615] External references: https://lists.wikimedia.org/pipermail/mediawiki-announce/2016-August/000195.html It seems that upstream changed the fixed in version of 1.23 branch to 1.23.15. https://www.mediawiki.org/wiki/Release_notes/1.23#Changes_since_1.23.14 mediawiki-1.27.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. mediawiki-1.26.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. mediawiki-1.26.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |
Multiple flaws have been reported on mediawiki. T115333: API action=parse does not check-per title read permissions = Flaw = MediaWiki does not properly respect results from extensions that deny read access to certain pages via the userCan hook. = Exploit = Users may gain inadvertent access to pages which extensions (such as Lockdown) have been configured to disallow. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T115333 T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out = Flaw = On wikis which have been configured with $wgBlockDisablesLogin set true, blocked user sessions are not terminated at the time that the user account is blocked. = Exploit = Blocked users will continue to have access to the wiki for the duration of their login session. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T129738 T133147: XSS via CSS user subpage preview feature = Flaw = When previewing Special:Mypage/common.css, the contents are included in an inline <style> tag. However, "</style>" is not properly escaped, allowing arbitrary HTML. = Exploit = An attacker may execute a reflected cross-site scripting attack against non-authenticated users. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T133147 T137264: XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links = Flaw = MediaWiki does not properly process URL-encoded values when handling unterminated internal links. = Exploit = An attacker may submit content containing specially-crafted unterminated links, leading to persistent cross-site scripting. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T137264 T139570: API action=parse&prop=headhtml leaks current user and their tokens to third-party sites when used via JSONP = Flaw = The result of a MediaWiki API call using JSONP reveals private user data, including username and CSRF token. = Exploit = An attacker may take advantage of the revealed information to circumvent CSRF protection. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T139570 T132926: Admins can get around oversight (suppression) of file revisions = Flaw = MediaWiki does not properly enforce access controls limiting restoration of deleted or suppressed files. = Exploit = Admins with insufficient permissions may restore deleted or suppressed files. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 1.26.x prior to 1.26.4 1.23.x prior to 1.23.14 and unsupported branches 1.22.x, 1.24.x and 1.25.x = Reference = https://phabricator.wikimedia.org/T132926 T139670: Central auth global groups don't take session rights limit into account = Flaw = The UserGetRights runtime hook allowed extensions to grant permissions that had previously been denied based on user session attributes. = Exploit = Extensions using this hook may accidentally or maliciously add permissions which had been explicitly disallowed. = Affects = MediaWiki versions 1.27.x prior to 1.27.1 = Reference = https://phabricator.wikimedia.org/T139670