Last week, while debugging other issues, our developers discovered that it had been possible to circumvent several of the previous patches from August, specifically VaultWiki 4.0.8 Patch Level 5 - 4.0.13 Patch Level 1, that were intended to prevent Server-Side Request Forgery, if a malicious user were to use specially crafted URLs. This issue does not affect Lite versions.
At the same time, our developers noticed a flaw that could make it easier for malicious users to launch a denial of service attack by submitting invalid URLs. This issue affects all versions of VaultWiki since 4.0.1, except Lite versions.
Earlier this week, a customer reported that large portions of their wiki were going offline whenever certain user actions were performed on a single wiki page. Since this could be leveraged by as few as one malicious user to keep all or most of a wiki offline, it is being treated as a Denial of Service vulnerability. While the flaw exists in earlier versions, it was not possible to exploit until a related bug was fixed in 4.0.14. Thus, this issue only affects 4.0.14 and its Patch Level 1, but does not affect Lite versions.
These issues are referred to as
RE:Vulnerabilidad de Las Plagas,
VaporPic, and
Soul Sealer respectively.
Today, we have released the following patches to address all three:
The following patches address the remaining issues (where applicable), and have been available since last week:
- 4.0.13 Patch Level 2
- 4.0.12 Patch Level 3
- 4.0.11 Patch Level 3
- 4.0.10 Patch Level 4
- 4.0.9 Patch Level 4
- 4.0.8 Patch Level 6
- 4.0.7 Patch Level 7
We strongly recommend that all users running VaultWiki 4.0.1 or higher in a production environment update to a patched release as soon as possible.