The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Push/+/625988 https://phabricator.wikimedia.org/T262724
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1922226]
External References: https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000270.html
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29005