CVE-2020-15005
Description
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the img_auth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because Cache-Control and Vary headers were mishandled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki private wikis behind a caching server leaked files via img_auth.php due to improper Cache-Control and Vary headers, allowing unauthorized access.
Vulnerability
Details
MediaWiki private wikis that use a caching server in front of img_auth.php for image authorization had a flaw in the handling of HTTP cache headers. The Cache-Control and Vary headers were not set correctly, allowing the caching server to store and serve private files to unauthorized users [3][4].
Exploitation
An attacker can exploit this by simply requesting a private image URL that goes through the caching server. If the caching server caches the response without proper authentication checks, the attacker receives the file even without valid credentials. No authentication is required; the vulnerability is triggered by the misconfiguration of cache headers.
Impact
Unauthenticated users can view any file protected by img_auth.php, including private images and other media that should only be accessible to authorized wiki users. This can lead to exposure of sensitive information.
Mitigation
The issue is fixed in MediaWiki 1.31.8, 1.33.4, and 1.34.2. Administrators should update their installations. Workarounds include ensuring the caching server does not cache responses from img_auth.php [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | < 1.31.8 | 1.31.8 |
mediawiki/corePackagist | >= 1.32.0, < 1.33.4 | 1.33.4 |
mediawiki/corePackagist | >= 1.34.0, < 1.34.2 | 1.34.2 |
Affected products
3- MediaWiki/MediaWikidescription
- osv-coords2 versions
< 1.31.8+ 1 more
- (no CPE)range: < 1.31.8
- (no CPE)range: < 1.31.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-xpv7-93cm-4mxvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEZIMLJMJS72SJXPYL736XMUAVCRQD2H/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-15005ghsaADVISORY
- www.debian.org/security/2020/dsa-4767ghsavendor-advisoryx_refsource_DEBIANWEB
- gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_31/RELEASE-NOTES-1.31ghsax_refsource_CONFIRMWEB
- gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_33/RELEASE-NOTES-1.33ghsax_refsource_CONFIRMWEB
- gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_34/RELEASE-NOTES-1.34ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00034.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEZIMLJMJS72SJXPYL736XMUAVCRQD2HghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2020-June/093535.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T248947ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.