124 lines
4.5 KiB
JSON
124 lines
4.5 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20212092",
|
|
"Version": "oval:org.altlinux.errata:def:20212092",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2021-2092: package `mediawiki-extensions-Widgets` update to version 1.3.0-alt1git",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p9"
|
|
],
|
|
"Products": [
|
|
"ALT Server",
|
|
"ALT Virtualization Server",
|
|
"ALT Workstation",
|
|
"ALT Workstation K",
|
|
"ALT Education",
|
|
"Simply Linux",
|
|
"Starterkit"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2021-2092",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-2092",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2020-35625",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-35625",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2020-9382",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-9382",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades mediawiki-extensions-Widgets to version 1.3.0-alt1git. \nSecurity Fix(es):\n\n * CVE-2020-35625: An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \\MediaWiki\\Shell\\Shell::command within a comment.\n\n * CVE-2020-9382: An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2021-06-30"
|
|
},
|
|
"Updated": {
|
|
"Date": "2021-06-30"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2020-35625",
|
|
"CVSS": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-862",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-35625",
|
|
"Impact": "High",
|
|
"Public": "20201221"
|
|
},
|
|
{
|
|
"ID": "CVE-2020-9382",
|
|
"CVSS": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
|
|
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
|
|
"CWE": "CWE-74",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-9382",
|
|
"Impact": "Low",
|
|
"Public": "20200224"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:kworkstation:9",
|
|
"cpe:/o:alt:workstation:9",
|
|
"cpe:/o:alt:server:9",
|
|
"cpe:/o:alt:server-v:9",
|
|
"cpe:/o:alt:education:9",
|
|
"cpe:/o:alt:slinux:9",
|
|
"cpe:/o:alt:starterkit:p9",
|
|
"cpe:/o:alt:kworkstation:9.1",
|
|
"cpe:/o:alt:workstation:9.1",
|
|
"cpe:/o:alt:server:9.1",
|
|
"cpe:/o:alt:server-v:9.1",
|
|
"cpe:/o:alt:education:9.1",
|
|
"cpe:/o:alt:slinux:9.1",
|
|
"cpe:/o:alt:starterkit:9.1",
|
|
"cpe:/o:alt:kworkstation:9.2",
|
|
"cpe:/o:alt:workstation:9.2",
|
|
"cpe:/o:alt:server:9.2",
|
|
"cpe:/o:alt:server-v:9.2",
|
|
"cpe:/o:alt:education:9.2",
|
|
"cpe:/o:alt:slinux:9.2",
|
|
"cpe:/o:alt:starterkit:9.2"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20212092001",
|
|
"Comment": "mediawiki-extensions-Widgets is earlier than 0:1.3.0-alt1git"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |