Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890373 (CVE-2022-39193, CVE-2023-22909, CVE-2023-22910, CVE-2023-22911, CVE-2023-22912, CVE-2023-22945) - www-apps/mediawiki: multiple vulnerabilities
Summary: www-apps/mediawiki: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-39193, CVE-2023-22909, CVE-2023-22910, CVE-2023-22911, CVE-2023-22912, CVE-2023-22945
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [??]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-10 22:47 UTC by John Helmert III
Modified: 2023-01-22 23:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-10 22:47:59 UTC 
CVE-2023-22909 (https://phabricator.wikimedia.org/T320987):

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow.

CVE-2023-22911 (https://phabricator.wikimedia.org/T149488):

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.

The CVEs say these are fixed in 1.38.5/1.39.1, but I don't think I see
the patches in Git?
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-12 02:46:17 UTC 
CVE-2023-22945 (https://phabricator.wikimedia.org/T321733):
https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88

In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.

Gerrit says it's merged, but I can't tell if it's in any release.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:47:44 UTC 
CVE-2022-39193 (https://phabricator.wikimedia.org/T311337):

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:48:41 UTC 
CVE-2023-22910 (https://phabricator.wikimedia.org/T323592):

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.

CVE-2023-22912 (https://phabricator.wikimedia.org/T315123):

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt.