CVE-2020-15005

In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.

References

Affected packages

Git / github.com/wikimedia/mediawiki

Affected ranges

Type

GIT

Repo

https://github.com/wikimedia/mediawiki

Events

Introduced

Fixed

c759d64146ad3d48c316b0052b7e240def4634da

Introduced

0fbb878ef366477535a709b0c2564bdcf4b176d1

Fixed

8f927cbf330b6ee6e675fb92435b7ee933736189

Introduced

ba90e337a4a58eb3b2fba43745d8de4a1cdafec1

Fixed

18c2d20c54f9851af639cb24603493ca197baaa8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.31.8"
        },
        {
            "introduced": "1.32.0"
        },
        {
            "fixed": "1.33.4"
        },
        {
            "introduced": "1.34"
        },
        {
            "fixed": "1.34.2"
        }
    ]
}

Affected versions

Other

REL1_34

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15005.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]