At the same time, our developers noticed a flaw that could make it easier for malicious users to launch a denial of service attack by submitting invalid URLs. This issue affects all versions of VaultWiki since 4.0.1, except Lite versions.
Earlier this week, a customer reported that large portions of their wiki were going offline whenever certain user actions were performed on a single wiki page. Since this could be leveraged by as few as one malicious user to keep all or most of a wiki offline, it is being treated as a Denial of Service vulnerability. While the flaw exists in earlier versions, it was not possible to exploit until a related bug was fixed in 4.0.14. Thus, this issue only affects 4.0.14 and its Patch Level 1, but does not affect Lite versions.
These issues are referred to as RE:Vulnerabilidad de Las Plagas, VaporPic, and Soul Sealer respectively.
Today, we have released the following patches to address all three:
- 4.0.14 Patch Level 2
The following patches address the remaining issues (where applicable), and have been available since last week:
- 4.0.13 Patch Level 2
- 4.0.12 Patch Level 3
- 4.0.11 Patch Level 3
- 4.0.10 Patch Level 4
- 4.0.9 Patch Level 4
- 4.0.8 Patch Level 6
- 4.0.7 Patch Level 7
We strongly recommend that all users running VaultWiki 4.0.1 or higher in a production environment update to a patched release as soon as possible.