Vulnerability CVE-2019-12472: Information

Description

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-12472
Published: July 10, 2019
Modified: Aug. 24, 2020

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
mediawikisisyphus1.29.0-alt11.40.1-alt2ALT-PU-2017-2095-1187365Fixed
mediawikip101.29.0-alt11.40.1-alt2ALT-PU-2017-2095-1187365Fixed
mediawikip91.32.2-alt11.36.1-alt1ALT-PU-2019-2054-1231690Fixed
mediawikic10f11.29.0-alt11.37.2-alt1ALT-PU-2017-2095-1187365Fixed
mediawikic9f21.32.2-alt11.34.1-alt2ALT-PU-2019-2054-1231690Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
  • Patch
  • Third Party Advisory
https://phabricator.wikimedia.org/T199540
  • Issue Tracking
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
      Start including
      1.30.0
      End excliding
      1.30.2
      cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
      Start including
      1.31.0
      End excliding
      1.31.2
      cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
      Start including
      1.32.0
      End excliding
      1.32.2
      cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
      Start including
      1.18.0
      End excliding
      1.27.6
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2
Back to top