Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28209: ⚓ T304126 One of the checks for 'override-antispoof' permission is inverted (CVE-2022-28209)

An issue was discovered in Mediawiki through 1.37.1. The check for the override-antispoof permission in the AntiSpoof extension is incorrect.

CVE
#js#git#php#auth

One of the checks for ‘override-antispoof’ permission in the AntiSpoof extension is inverted, here: https://github.com/wikimedia/mediawiki-extensions-AntiSpoof/blob/7a5fc55dc31a0ab654a80a0fa6293027293c5b7c/includes/AntiSpoofPreAuthenticationProvider.php#L145

This might not be a real security issue – it looks like the faulty code path is only used for displaying UI messages (JS checks on Special:CreateAccount), and not for actually creating accounts. But I didn’t go through everything to prove that for sure, so I’m filing as a security task just in case.

It’s also not reproducible on Wikimedia wikis, because the anti-spoof checks there are handled by code in CentralAuth, which doesn’t have the bug: https://github.com/wikimedia/mediawiki-extensions-CentralAuth/blob/061b493dc96a874bb49e1e67c10e416fce6040be/includes/CentralAuthPrimaryAuthenticationProvider.php#L512

This has been introduced in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AntiSpoof/+/618623, by accidentally removing a ! to negate a condition.

I discovered the problem while testing a patch for T167163.

Related news

Gentoo Linux Security Advisory 202305-24

Gentoo Linux Security Advisory 202305-24 - Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in denial of service. Versions greater than or equal to 1.25.2 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907