Bug 1851026 (CVE-2020-15005)

Summary: CVE-2020-15005 mediawiki: possible leak of private extension images into public cache
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, Axel.Thimm, bmontgom, eparis, jburrell, jokerman, mike, nstielau, puiterwijk, shurley, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: MediaWiki 1.34.2, MediaWiki 1.33.4, MediaWiki 1.31.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:23:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1851027, 1855270, 1855271    
Bug Blocks: 1851028    

Description Guilherme de Almeida Suckevicz 2020-06-25 13:04:52 UTC 
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them.

Reference:
https://phabricator.wikimedia.org/T248947
Comment 1 Guilherme de Almeida Suckevicz 2020-06-25 13:05:13 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1851027]
Comment 5 Przemyslaw Roguski 2020-07-10 07:15:33 UTC 
External References:

https://phabricator.wikimedia.org/T248947
Comment 6 Przemyslaw Roguski 2020-07-10 07:30:48 UTC 
Statement:

The mediawiki package was removed from Red Hat OpenShift Container Platform in version 4.3.
Comment 7 Przemyslaw Roguski 2020-07-10 07:36:09 UTC 
Upstream patch: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/607557/