Bug 2233116 (CVE-2023-36674)

Summary: CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: askrabec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mediawiki 1.13.11, mediawiki 1.38.7, mediawiki 1.39.4, mediawiki 1.40.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in MediaWiki. When manually setting a thumbnail image for an image embed, the thumbnail image is not checked against the bad file list, allowing it to be embedded.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2233911    
Bug Blocks: 2233117    

Description Guilherme de Almeida Suckevicz 2023-08-21 14:04:40 UTC 
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

Reference:
https://phabricator.wikimedia.org/T335612
Comment 1 Anten Skrabec 2023-08-23 17:21:59 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 2233911]