In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled. Reference: https://phabricator.wikimedia.org/T229731 Upstream commit: https://gerrit.wikimedia.org/r/#/q/I9cc5fb2c08c78bbd797a5fc6d89f4577c8cc118b
Created mediawiki tracking bugs for this issue: Affects: fedora-all [bug 1815174]
This issue is for the *extension* GlobalBlocking. It is not shipped as a bundled extension and the patch is *not* in the core of mediawiki. This bug should not have been opened.
Agreed, seems strange. Setting OpenShift 3 and 4 to not affected. Whilst MediaWiki does include extensions by default GlobalBlocking is not one of them. Not even sure the status of the extension given that it's been in beta for several years: - https://www.mediawiki.org/wiki/Extension:GlobalBlocking - https://www.mediawiki.org/wiki/Extension_talk:GlobalBlocking Confirmed the following OpenShift images don't include GlobalBlocking. - openshift3/mediawiki - openshift4/mediawiki
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10534