CVE-2019-12472: MediaWiki Incorrect Access Control vulnerability

May 24, 2022 (updated May 15, 2024)

An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.

References

github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12472.yaml
github.com/advisories/GHSA-7mqg-5fgh-xh4r
github.com/wikimedia/mediawiki
lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.html
nvd.nist.gov/vuln/detail/CVE-2019-12472
phabricator.wikimedia.org/T199540

Code Behaviors & Features

Detect and mitigate CVE-2019-12472 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →