Vulnerability CVE-2015-8005

Vulnerability Name:

CVE-2015-8005 (CCN-107707)

Assigned:

2015-10-29

Published:

2015-10-29

Updated:

2015-11-10

Summary:

MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2015-8005

Source: CCN
Type: SECTRACK ID: 1034028
MediaWiki Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Bypass Security and Deny Service

Source: SECTRACK
Type: UNKNOWN
1034028

Source: XF
Type: UNKNOWN
mediawiki-cve20158005-file-include(107707)

Source: MLIST
Type: Patch, Vendor Advisory
[MediaWiki-announce] 20151016 Security Release: 1.25.3, 1.24.4 and 1.23.11

Source: CONFIRM
Type: Vendor Advisory
https://phabricator.wikimedia.org/T108616

Source: CCN
Type: MediaWiki Web site
MediaWiki

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-8005

Vulnerable Configuration:

Configuration 1:

cpe:/a:mediawiki:mediawiki:*:*:*:*:*:*:*:* (Version <= 1.23.10)

OR cpe:/a:mediawiki:mediawiki:1.24.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.2:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.3:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.disco:def:201580050000000	V	CVE-2015-8005 on Ubuntu 19.04 (disco) - low.	2015-11-09
oval:com.ubuntu.artful:def:20158005000	V	CVE-2015-8005 on Ubuntu 17.10 (artful) - low.	2015-11-09
oval:com.ubuntu.trusty:def:20158005000	V	CVE-2015-8005 on Ubuntu 14.04 LTS (trusty) - low.	2015-11-09
oval:com.ubuntu.bionic:def:20158005000	V	CVE-2015-8005 on Ubuntu 18.04 LTS (bionic) - low.	2015-11-09
oval:com.ubuntu.cosmic:def:201580050000000	V	CVE-2015-8005 on Ubuntu 18.10 (cosmic) - low.	2015-11-09
oval:com.ubuntu.cosmic:def:20158005000	V	CVE-2015-8005 on Ubuntu 18.10 (cosmic) - low.	2015-11-09
oval:com.ubuntu.bionic:def:201580050000000	V	CVE-2015-8005 on Ubuntu 18.04 LTS (bionic) - low.	2015-11-09
oval:com.ubuntu.precise:def:20158005000	V	CVE-2015-8005 on Ubuntu 12.04 LTS (precise) - low.	2015-11-09

BACK