Bug 1903764 (CVE-2020-25813) - CVE-2020-25813 mediawiki: Special:UserRights exposes the existence of hidden users
Summary: CVE-2020-25813 mediawiki: Special:UserRights exposes the existence of hidden ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-25813
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1903765 1905140
Blocks: 1903781
TreeView+ depends on / blocked
 
Reported: 2020-12-02 18:25 UTC by Dhananjay Arunesh
Modified: 2021-10-28 08:35 UTC (History)
11 users (show)

Fixed In Version: mediawiki-1.34.4, mediawiki-1.31.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-28 08:35:43 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-12-02 18:25:59 UTC 
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.

References:
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html
https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html
https://meta.wikimedia.org/wiki/Special:UserRights
Comment 1 Dhananjay Arunesh 2020-12-02 18:26:39 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 1903765]
Comment 2 Przemyslaw Roguski 2020-12-07 16:06:05 UTC 
Upstream commit:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/609532
Comment 3 Przemyslaw Roguski 2020-12-07 16:06:07 UTC 
Statement:

The mediawiki package was removed from OpenShift Container Platform in version 4.3.
Comment 4 Przemyslaw Roguski 2020-12-07 16:06:09 UTC 
External References:

https://phabricator.wikimedia.org/T232568
Note You need to log in before you can comment on or make changes to this bug.