Fluid Attacks Database

Description

MediaWiki Incorrect Access Control vulnerability An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	mediawiki	>=0 <1:1.31.2-1	1:1.31.2-1
debian 13	mediawiki	>=0 <1:1.31.2-1	1:1.31.2-1
packagist	mediawiki/core	>=1.18.0 <1.27.6 \|\| >=1.30.0 <1.30.2 \|\| >=1.31.0 <1.31.2 \|\| >=1.32.0 <1.32.2	1.27.6, 1.30.2, 1.31.2, 1.32.2
debian 12	mediawiki	>=0 <1:1.31.2-1	1:1.31.2-1
debian 14	mediawiki	>=0 <1:1.31.2-1	1:1.31.2-1

Aliases

1. CVE-2019-124722. NVD-2019-124723. OSV-DEBIAN-2019-124724. OSV-2019-124725. GCVE-2019-124726. SECURITY-TRACKER-CVE-2019-12472

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12472.yaml2. https://lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html3. https://phabricator.wikimedia.org/T199540