CVE-2021-30159: 
NixOS vulnerability analysis and mitigation

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. The vulnerability was assigned CVE-2021-30159 and was disclosed in April 2021 (NVD).

The vulnerability occurs due to a race condition in the page move functionality. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

This vulnerability allows authenticated users to bypass intended restrictions on deleting pages in specific situations involving fast double moves. The impact is primarily related to unauthorized page deletion capabilities, which could affect the integrity of the wiki content (Debian LTS).

The vulnerability was fixed in MediaWiki versions 1.31.12 and 1.35.2. Users are recommended to upgrade to these or later versions. Multiple Linux distributions have released security updates to address this vulnerability, including Debian (1:1.31.14-1~deb10u1), Fedora (1.35.2-1.fc33 and 1.35.2-1.fc34), and Gentoo (>=1.36.1) (Debian Security, Fedora Update, Gentoo Security).