Bug 2233116 (CVE-2023-36674) - CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup
Summary: CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup
Keywords:
Status: NEW
Alias: CVE-2023-36674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2233911
Blocks: 2233117
TreeView+ depends on / blocked
 
Reported: 2023-08-21 14:04 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-13 22:34 UTC (History)
1 user (show)

Fixed In Version: mediawiki 1.13.11, mediawiki 1.38.7, mediawiki 1.39.4, mediawiki 1.40.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in MediaWiki. When manually setting a thumbnail image for an image embed, the thumbnail image is not checked against the bad file list, allowing it to be embedded.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-08-21 14:04:40 UTC
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

Reference:
https://phabricator.wikimedia.org/T335612

Comment 1 Anten Skrabec 2023-08-23 17:21:59 UTC
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 2233911]


Note You need to log in before you can comment on or make changes to this bug.