Miggo Logo
Miggo Vulnerability Database
CVE-2019-12472

CVE-2019-12472: MediaWiki Incorrect Access Control vulnerability

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-12472
GHSA ID
GHSA-7mqg-5fgh-xh4r
EPSS Score
0.42369%
CWE
CWE-284
Published
5/24/2022
Updated
5/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mediawiki/corecomposer>= 1.18.0, < 1.27.61.27.6
mediawiki/corecomposer>= 1.30.0, < 1.30.21.30.2
mediawiki/corecomposer>= 1.31.0, < 1.31.21.31.2
mediawiki/corecomposer>= 1.32.0, < 1.32.21.32.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CIDR validation in the API block handler. The Phabricator task T199540 specifically shows the security patch was applied to ApiBlock.php to add $wgBlockCIDRLimit checks. Since the vulnerability description explicitly mentions API-based bypass and the fix targets the API block implementation, ApiBlock::execute is the primary vulnerable entry point that lacked proper access control checks for CIDR range size limits prior to patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n In*orr**t ****ss *ontrol vuln*r**ility w*s *oun* in Wikim**i* M**i*Wiki *.**.* t*rou** *.**.*. It is possi*l* to *yp*ss t** limits on IP r*n** *lo*ks ($w**lo*k*I*RLimit) *y usin* t** *PI. *ix** in *.**.*, *.**.*, *.**.* *n* *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* *I*R v*li**tion in t** *PI *lo*k **n*l*r. T** P***ri**tor t*sk T****** sp**i*i**lly s*ows t** s**urity p*t** w*s *ppli** to *pi*lo*k.p*p to *** $w**lo*k*I*RLimit ****ks. Sin** t** vuln*r**ility **s*ription *xpli*i