An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. References: https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html https://phabricator.wikimedia.org/T251661
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1903762]
This vulnerability is related to the factoryNonLocal function, which was introduced in version 1.31.9. OpenShift Container Platform delivers mediawiki-1.27.7-1, where the vulnerable code doesn't exist.
External References: https://phabricator.wikimedia.org/T251661
Statement: OpenShift Container Platform (OCP) delivers the mediawiki package, but the vulnerable code is not bundled, therefore OCP is not affected by this flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25827