CVE-2011-1766
First published: Mon May 23 2011(Updated: )
includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by creating crafted wikiUserID and wikiUserName cookies, or by leveraging an unattended workstation.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MediaWiki | =1.3.13 | |
| MediaWiki | =1.5.6 | |
| MediaWiki | =1.4-beta1 | |
| MediaWiki | =1.16.0-beta2 | |
| MediaWiki | =1.7.3 | |
| MediaWiki | =1.6.3 | |
| MediaWiki | =1.8.2 | |
| MediaWiki | =1.5.1 | |
| MediaWiki | =1.5.8 | |
| MediaWiki | =1.4-beta2 | |
| MediaWiki | =1.4.11 | |
| MediaWiki | =1.2.4 | |
| MediaWiki | =1.12.1 | |
| MediaWiki | =1.3.12 | |
| MediaWiki | =1.4.1 | |
| MediaWiki | =1.4.8 | |
| MediaWiki | =1.5.3 | |
| MediaWiki | =1.13.0-rc2 | |
| MediaWiki | =1.14.0-rc1 | |
| MediaWiki | =1.9.3 | |
| MediaWiki | =1.11.0 | |
| MediaWiki | =1.6.12 | |
| MediaWiki | =1.4-beta3 | |
| MediaWiki | =1.4-beta6 | |
| MediaWiki | =1.5-alpha2 | |
| MediaWiki | =1.15.1 | |
| MediaWiki | =1.15.0-rc1 | |
| MediaWiki | =1.5-beta1 | |
| MediaWiki | =1.4.9 | |
| MediaWiki | =1.15.0 | |
| MediaWiki | =1.4.3 | |
| MediaWiki | =1.8.0 | |
| MediaWiki | =1.5-beta4 | |
| MediaWiki | =1.5-beta3 | |
| MediaWiki | =1.5-rc2 | |
| MediaWiki | =1.16.3 | |
| MediaWiki | =1.3.5 | |
| MediaWiki | =1.12.3 | |
| MediaWiki | =1.15.3 | |
| MediaWiki | =1.6.2 | |
| MediaWiki | =1.3.6 | |
| MediaWiki | =1.9.2 | |
| MediaWiki | =1.12.0 | |
| MediaWiki | =1.11.0-rc1 | |
| MediaWiki | =1.4.2 | |
| MediaWiki | =1.6.10 | |
| MediaWiki | =1.2.1 | |
| MediaWiki | =1.13.4 | |
| MediaWiki | =1.2.2 | |
| MediaWiki | =1.16.1 | |
| MediaWiki | =1.6.7 | |
| MediaWiki | =1.6.5 | |
| MediaWiki | =1.5.2 | |
| MediaWiki | =1.6.9 | |
| MediaWiki | =1.6.6 | |
| MediaWiki | =1.2.5 | |
| MediaWiki | =1.6.4 | |
| MediaWiki | =1.3 | |
| MediaWiki | =1.10.0-rc2 | |
| MediaWiki | =1.3.10 | |
| MediaWiki | =1.7.1 | |
| MediaWiki | =1.3.4 | |
| MediaWiki | =1.4-beta5 | |
| MediaWiki | =1.11.2 | |
| MediaWiki | =1.9.4 | |
| MediaWiki | =1.8.5 | |
| MediaWiki | =1.5.0 | |
| MediaWiki | =1.15.5 | |
| MediaWiki | =1.6.11 | |
| MediaWiki | =1.15.2 | |
| MediaWiki | =1.5-rc3 | |
| MediaWiki | =1.9.1 | |
| MediaWiki | =1.10.4 | |
| MediaWiki | =1.9.0-rc2 | |
| MediaWiki | =1.10.1 | |
| MediaWiki | =1.5.5 | |
| MediaWiki | =1.14.0 | |
| MediaWiki | =1.3.9 | |
| MediaWiki | =1.8.3 | |
| MediaWiki | =1.13.3 | |
| MediaWiki | =1.3.15 | |
| MediaWiki | =1.13.1 | |
| MediaWiki | =1.5.4 | |
| MediaWiki | =1.10.3 | |
| MediaWiki | =1.4.0 | |
| MediaWiki | =1.10.2 | |
| MediaWiki | =1.2.6 | |
| MediaWiki | <=1.16.4 | |
| MediaWiki | =1.11 | |
| MediaWiki | =1.4.14 | |
| MediaWiki | =1.8.4 | |
| MediaWiki | =1.3.0 | |
| MediaWiki | =1.5-beta2 | |
| MediaWiki | =1.6.0 | |
| MediaWiki | =1.4.5 | |
| MediaWiki | =1.1.0 | |
| MediaWiki | =1.13.0 | |
| MediaWiki | =1.16.0 | |
| MediaWiki | =1.7.0 | |
| MediaWiki | =1.3.3 | |
| MediaWiki | =1.8.1 | |
| MediaWiki | =1.13.0-rc1 | |
| MediaWiki | =1.12.4 | |
| MediaWiki | =1.2.3 | |
| MediaWiki | =1.3.1 | |
| MediaWiki | =1.6.1 | |
| MediaWiki | =1.4.13 | |
| MediaWiki | =1.9.0 | |
| MediaWiki | =1.16.2 | |
| MediaWiki | =1.10.0-rc1 | |
| MediaWiki | =1.9.5 | |
| MediaWiki | =1.4-beta4 | |
| MediaWiki | =1.3.14 | |
| MediaWiki | =1.15.4 | |
| MediaWiki | =1.4.4 | |
| MediaWiki | =1.2.0 | |
| MediaWiki | =1.3.7 | |
| MediaWiki | =1.5-rc4 | |
| MediaWiki | =1.16.0-beta1 | |
| MediaWiki | =1.5-alpha1 | |
| MediaWiki | =1.13.2 | |
| MediaWiki | =1.4.12 | |
| MediaWiki | =1.7.2 | |
| MediaWiki | =1.14.1 | |
| MediaWiki | =1.4.6 | |
| MediaWiki | =1.5.7 | |
| MediaWiki | =1.4.10 | |
| MediaWiki | =1.11.1 | |
| MediaWiki | =1.3.11 | |
| MediaWiki | =1.3.8 | |
| MediaWiki | =1.9.6 | |
| MediaWiki | =1.3.2 | |
| MediaWiki | =1.6.8 | |
| MediaWiki | =1.10.0 | |
| MediaWiki | =1.12.2 | |
| MediaWiki | =1.12.0-rc1 | |
| MediaWiki | =1.4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html
- http://www.securityfocus.com/bid/47722
- http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060435.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060507.html
- https://bugzilla.wikimedia.org/show_bug.cgi?id=28639
- https://bugzilla.redhat.com/show_bug.cgi?id=702512
- http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060496.html
- http://secunia.com/advisories/44684
Frequently Asked Questions
What is the severity of CVE-2011-1766?
CVE-2011-1766 has a medium severity rating due to its potential to allow unauthorized access.
How do I fix CVE-2011-1766?
To fix CVE-2011-1766, upgrade MediaWiki to version 1.16.5 or later.
Which versions of MediaWiki are affected by CVE-2011-1766?
MediaWiki versions before 1.16.5, including 1.16.0 to 1.16.4, as well as earlier versions down to 1.1.0, are affected by CVE-2011-1766.
Can CVE-2011-1766 be exploited remotely?
Yes, CVE-2011-1766 can be exploited remotely by attackers to bypass authentication.
What is the impact of not addressing CVE-2011-1766?
Not addressing CVE-2011-1766 may lead to unauthorized access, potentially compromising the integrity of the MediaWiki installation.
- agent/type
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mediawiki
- canonical/mediawiki
- version/mediawiki/1.3.13
- version/mediawiki/1.5.6
- version/mediawiki/1.4-beta1
- version/mediawiki/1.16.0-beta2
- version/mediawiki/1.7.3
- version/mediawiki/1.6.3
- version/mediawiki/1.8.2
- version/mediawiki/1.5.1
- version/mediawiki/1.5.8
- version/mediawiki/1.4-beta2
- version/mediawiki/1.4.11
- version/mediawiki/1.2.4
- version/mediawiki/1.12.1
- version/mediawiki/1.3.12
- version/mediawiki/1.4.1
- version/mediawiki/1.4.8
- version/mediawiki/1.5.3
- version/mediawiki/1.13.0-rc2
- version/mediawiki/1.14.0-rc1
- version/mediawiki/1.9.3
- version/mediawiki/1.11.0
- version/mediawiki/1.6.12
- version/mediawiki/1.4-beta3
- version/mediawiki/1.4-beta6
- version/mediawiki/1.5-alpha2
- version/mediawiki/1.15.1
- version/mediawiki/1.15.0-rc1
- version/mediawiki/1.5-beta1
- version/mediawiki/1.4.9
- version/mediawiki/1.15.0
- version/mediawiki/1.4.3
- version/mediawiki/1.8.0
- version/mediawiki/1.5-beta4
- version/mediawiki/1.5-beta3
- version/mediawiki/1.5-rc2
- version/mediawiki/1.16.3
- version/mediawiki/1.3.5
- version/mediawiki/1.12.3
- version/mediawiki/1.15.3
- version/mediawiki/1.6.2
- version/mediawiki/1.3.6
- version/mediawiki/1.9.2
- version/mediawiki/1.12.0
- version/mediawiki/1.11.0-rc1
- version/mediawiki/1.4.2
- version/mediawiki/1.6.10
- version/mediawiki/1.2.1
- version/mediawiki/1.13.4
- version/mediawiki/1.2.2
- version/mediawiki/1.16.1
- version/mediawiki/1.6.7
- version/mediawiki/1.6.5
- version/mediawiki/1.5.2
- version/mediawiki/1.6.9
- version/mediawiki/1.6.6
- version/mediawiki/1.2.5
- version/mediawiki/1.6.4
- version/mediawiki/1.3
- version/mediawiki/1.10.0-rc2
- version/mediawiki/1.3.10
- version/mediawiki/1.7.1
- version/mediawiki/1.3.4
- version/mediawiki/1.4-beta5
- version/mediawiki/1.11.2
- version/mediawiki/1.9.4
- version/mediawiki/1.8.5
- version/mediawiki/1.5.0
- version/mediawiki/1.15.5
- version/mediawiki/1.6.11
- version/mediawiki/1.15.2
- version/mediawiki/1.5-rc3
- version/mediawiki/1.9.1
- version/mediawiki/1.10.4
- version/mediawiki/1.9.0-rc2
- version/mediawiki/1.10.1
- version/mediawiki/1.5.5
- version/mediawiki/1.14.0
- version/mediawiki/1.3.9
- version/mediawiki/1.8.3
- version/mediawiki/1.13.3
- version/mediawiki/1.3.15
- version/mediawiki/1.13.1
- version/mediawiki/1.5.4
- version/mediawiki/1.10.3
- version/mediawiki/1.4.0
- version/mediawiki/1.10.2
- version/mediawiki/1.2.6
- version/mediawiki/1.16.4
- version/mediawiki/1.11
- version/mediawiki/1.4.14
- version/mediawiki/1.8.4
- version/mediawiki/1.3.0
- version/mediawiki/1.5-beta2
- version/mediawiki/1.6.0
- version/mediawiki/1.4.5
- version/mediawiki/1.1.0
- version/mediawiki/1.13.0
- version/mediawiki/1.16.0
- version/mediawiki/1.7.0
- version/mediawiki/1.3.3
- version/mediawiki/1.8.1
- version/mediawiki/1.13.0-rc1
- version/mediawiki/1.12.4
- version/mediawiki/1.2.3
- version/mediawiki/1.3.1
- version/mediawiki/1.6.1
- version/mediawiki/1.4.13
- version/mediawiki/1.9.0
- version/mediawiki/1.16.2
- version/mediawiki/1.10.0-rc1
- version/mediawiki/1.9.5
- version/mediawiki/1.4-beta4
- version/mediawiki/1.3.14
- version/mediawiki/1.15.4
- version/mediawiki/1.4.4
- version/mediawiki/1.2.0
- version/mediawiki/1.3.7
- version/mediawiki/1.5-rc4
- version/mediawiki/1.16.0-beta1
- version/mediawiki/1.5-alpha1
- version/mediawiki/1.13.2
- version/mediawiki/1.4.12
- version/mediawiki/1.7.2
- version/mediawiki/1.14.1
- version/mediawiki/1.4.6
- version/mediawiki/1.5.7
- version/mediawiki/1.4.10
- version/mediawiki/1.11.1
- version/mediawiki/1.3.11
- version/mediawiki/1.3.8
- version/mediawiki/1.9.6
- version/mediawiki/1.3.2
- version/mediawiki/1.6.8
- version/mediawiki/1.10.0
- version/mediawiki/1.12.2
- version/mediawiki/1.12.0-rc1
- version/mediawiki/1.4.7