CVE-2014-2243
Published: 2 March 2014
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.
Priority
Status
Package | Release | Status |
---|---|---|
mediawiki Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [1:1.19.14+dfsg-1])
|
|
upstream |
Released
(1.19.12)
|
|
utopic |
Not vulnerable
(1:1.19.14+dfsg-1)
|
|
vivid |
Not vulnerable
(1:1.19.14+dfsg-1)
|
|
wily |
Not vulnerable
(1:1.19.14+dfsg-1)
|
|
xenial |
Does not exist
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2243
- http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
- https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z
- https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
- https://bugzilla.redhat.com/show_bug.cgi?id=1071136
- http://openwall.com/lists/oss-security/2014/03/01/2
- http://openwall.com/lists/oss-security/2014/02/28/1
- NVD
- Launchpad
- Debian