Fluid Attacks Database

Description

img_auth.php may leak private extension images into the public cache In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	mediawiki	>=0 <1:1.31.8-1	1:1.31.8-1
debian 14	mediawiki	>=0 <1:1.31.8-1	1:1.31.8-1
packagist	mediawiki/core	>=0 <1.31.8 \|\| >=1.32.0 <1.33.4 \|\| >=1.34.0 <1.34.2	1.31.8, 1.33.4, 1.34.2
debian 11	mediawiki	>=0 <1:1.31.8-1	1:1.31.8-1
debian 12	mediawiki	>=0 <1:1.31.8-1	1:1.31.8-1

Aliases

1. CVE-2020-150052. NVD-2020-150053. OSV-DEBIAN-2020-150054. OSV-2020-150055. GCVE-2020-150056. SECURITY-TRACKER-CVE-2020-150057. lists.debian.org

References

1. https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_31/RELEASE-NOTES-1.312. https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_33/RELEASE-NOTES-1.333. https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_34/RELEASE-NOTES-1.344. https://lists.fedoraproject.org/archives/list/[email protected]/message/EEZIMLJMJS72SJXPYL736XMUAVCRQD2H5. https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.html6. https://phabricator.wikimedia.org/T2489477. https://www.debian.org/security/2020/dsa-4767