Vulnerability CVE-2020-35480: Information

Description

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-35480

Published: Dec. 18, 2020

Modified: Nov. 7, 2023

Error type identifier: CWE-203

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
mediawiki	sisyphus	1.35.1-alt1	1.40.1-alt2	ALT-PU-2020-3554-1	263831	Fixed
mediawiki	p10	1.35.1-alt1	1.40.1-alt2	ALT-PU-2020-3554-1	263831	Fixed
mediawiki	p9	1.35.1-alt1	1.36.1-alt1	ALT-PU-2020-3568-1	263837	Fixed
mediawiki	c10f1	1.35.1-alt1	1.37.2-alt1	ALT-PU-2020-3554-1	263831	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html	Mailing List Release Notes Vendor Advisory
https://phabricator.wikimedia.org/T120883	Permissions Required
DSA-4816	Mailing List Third Party Advisory
[debian-lts-announce] 20201223 [SECURITY] [DLA 2504-1] mediawiki security update	Mailing List Third Party Advisory
FEDORA-2020-0be2d40e13

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
  End excliding
  1.35.1
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Version: v24.4.2

Vulnerability CVE-2020-35480: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3