CVE-2020-35480 — Observable Discrepancy in Mediawiki

CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 42.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki Debian Linux +1 more

Timeline

PublishedDec 18

Latest updateMay 24

Description

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.35.1-1 (bookworm)

▶NVDmediawiki/mediawiki< 1.35.1

▶Debianmediawiki/mediawiki< 1:1.35.1-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 33

🔴Vulnerability Details

GHSA

GHSA-6wfj-pw33-8cr3: An issue was discovered in MediaWiki before 1↗2022-05-24

▶

OSV

CVE-2020-35480: An issue was discovered in MediaWiki before 1↗2020-12-18

▶

📋Vendor Advisories

Red Hat

mediawiki: divergent behavior for contributions and user pages of hidden users and missing users↗2020-12-18

▶

Debian

CVE-2020-35480: mediawiki - An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that...↗2020

▶