Mageia 8: MGASA-2023-0204 Critical: MediaWiki DoS and Access Control Issues

mageia

June 28, 2023

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649)

Summary

Bundled PapaParse copy in VisualEditor has known ReDos (CVE-2020-36649).
An issue was discovered in MediaWiki before 1.35.9. When installing with a pre-existing data directory that has weak permissions, the SQLite files are created with file mode 0644, i.e., world readable to local users. These files include credentials data (CVE-2022-47927).
An issue was discovered in MediaWiki before 1.35.9. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow (CVE-2023-22909).
An issue was discovered in MediaWiki before 1.35.9. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE-2023-22911).
An issue was discovered in MediaWiki before 1.35.10. An auto-block can occur for an untrusted X-Forwarded-For header (CVE-2023-29141).
OATHAuth allows replay attacks when MediaWiki is configured without ObjectCache; Insecure ...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=31463

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/

- https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/6UQBHI5FWLATD7QO7DI4YS54U7XSSLAN/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZGK4NZPIJ5ET2ANRZOUYPCRIB5I64JR7/

- https://www.cve.org/CVERecord?id=CVE-2020-36649

- https://www.cve.org/CVERecord?id=CVE-2022-47927

- https://www.cve.org/CVERecord?id=CVE-2023-22909

- https://www.cve.org/CVERecord?id=CVE-2023-2291

- https://www.cve.org/CVERecord?id=CVE-2023-29141

Topics Covered

security advisory XSS access control DoS Mageia ReDoS

Resolution

SRPMS

- 8/core/mediawiki-1.35.10-1.mga8

Severity

critical

Lowest

Low

Medium

High

Critical

Publication date: 28 Jun 2023

URL: https://advisories.mageia.org/MGASA-2023-0204.html

Type: security

CVE: CVE-2020-36649, CVE-2022-47927, CVE-2023-22909, CVE-2023-2291, CVE-2023-29141

Topics Covered

security advisory XSS access control DoS Mageia ReDoS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Mageia 8: MGASA-2023-0204 Critical: MediaWiki DoS and Access Control Issues

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Mageia 8: MGASA-2023-0204 Critical: MediaWiki DoS and Access Control Issues

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!