An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| Link | Tags |
|---|---|
| https://phabricator.wikimedia.org/T120883 | permissions required |
| https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-December/000268.html | vendor advisory mailing list release notes |
| https://www.debian.org/security/2020/dsa-4816 | vendor advisory mailing list third party advisory |
| https://lists.debian.org/debian-lts-announce/2020/12/msg00034.html | third party advisory mailing list |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STT5Z4A3BCXVH3WIPICWU2FP4IPIMUPC/ | vendor advisory |