CVE-2023-36674: Input Validation
First published: Sun Aug 20 2023(Updated: )
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File syntax.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/mediawiki | 1:1.31.16-1+deb10u2 1:1.31.16-1+deb10u6 1:1.35.11-1~deb11u1 1:1.35.13-1~deb11u1 1:1.39.4-1~deb12u1 1:1.39.5-1~deb12u1 1:1.39.5-1 | |
| MediaWiki MediaWiki | <1.35.11 | |
| MediaWiki MediaWiki | >=1.36.0<1.38.7 | |
| MediaWiki MediaWiki | >=1.39.0<1.39.4 | |
| MediaWiki MediaWiki | =1.40.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://phabricator.wikimedia.org/T335612
- https://gerrit.wikimedia.org/r/c/mediawiki/core/+/934571/
- https://security-tracker.debian.org/tracker/CVE-2023-36674
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOAXEGYBOEM4JWB4J3BDH73NK2LCYC3O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2UIVGYECQGTUC2LLPVCZBPDLCTOHL2F6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CHRX6DSLAMVXCV2YMJEWOLTBEYSESE5/
Frequently Asked Questions
What is CVE-2023-36674?
CVE-2023-36674 is a vulnerability in MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1 that allows bypassing the Bad image list through the use of the thumb parameter in the File syntax.
How severe is CVE-2023-36674?
CVE-2023-36674 has a severity rating of 5.3 (medium).
How does CVE-2023-36674 affect MediaWiki?
CVE-2023-36674 affects MediaWiki versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1.
How can I fix CVE-2023-36674 in MediaWiki?
To fix CVE-2023-36674, you should update MediaWiki to version 1.35.11, 1.38.7, 1.39.4, or 1.40.1 depending on the branch you are using.
Where can I find more information about CVE-2023-36674?
You can find more information about CVE-2023-36674 in the references provided: [Phabricator](https://phabricator.wikimedia.org/T335612), [Gerrit](https://gerrit.wikimedia.org/r/c/mediawiki/core/+/934571/), and [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2023-36674).
- collector/security-tracker-debian
- agent/author
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/description
- agent/references
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/source
- package-manager/debian
- vendor/mediawiki
- canonical/mediawiki mediawiki
- version/mediawiki mediawiki/1.36.0
- version/mediawiki mediawiki/1.39.0
- version/mediawiki mediawiki/1.40.0