2233116 – (CVE-2023-36674) CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup

Bug 2233116 (CVE-2023-36674) - CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup

Summary: CVE-2023-36674 MediaWiki: Manualthumb bypasses badFile lookup

Keywords:
Status:	NEW
Alias:	CVE-2023-36674
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2233911
Blocks:	2233117
TreeView+	depends on / blocked

Reported:	2023-08-21 14:04 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-09-13 22:34 UTC (History)
CC List:	1 user (show)
Fixed In Version:	mediawiki 1.13.11, mediawiki 1.38.7, mediawiki 1.39.4, mediawiki 1.40.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in MediaWiki. When manually setting a thumbnail image for an image embed, the thumbnail image is not checked against the bad file list, allowing it to be embedded.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2023-08-21 14:04:40 UTC

An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.

Reference:
https://phabricator.wikimedia.org/T335612

Comment 1 Anten Skrabec 2023-08-23 17:21:59 UTC

Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 2233911]

Note You need to log in before you can comment on or make changes to this bug.