CVE-2020-10534: 
NixOS vulnerability analysis and mitigation

In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This vulnerability (CVE-2020-10534) specifically occurs in cases where an IP address is contained in two ranges, one of which is locally disabled (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates a critical severity level with network accessibility, low attack complexity, and no required privileges or user interaction. The vulnerability is classified under CWE-863 (Incorrect Authorization) (NVD).

When exploited, this vulnerability allows blocked users to bypass intended access restrictions and regain escalated privileges within the MediaWiki system. This could potentially lead to unauthorized access to protected content and administrative functions (NVD).

A patch was released on March 10, 2020, to address this vulnerability. Users should upgrade their MediaWiki GlobalBlocking extension to a version after this date. The fix was implemented through a code change that properly handles IP range evaluations (Wikimedia Patch).