CVE-2021-31552: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations (NVD, Phabricator).

The vulnerability exists in the AbuseFilter extension's account creation blocking functionality. When a filter with 'block' action is triggered during account creation, it only blocks the IP address but fails to block the actual account being created. This implementation flaw allows the account to be created successfully while only blocking the originating IP address. The vulnerability has a CVSS v3.1 Base Score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability has two main impacts: 1) It allows accounts to be created even when they should be blocked by abuse filters, potentially leading to SUL fragmentation and creation of inappropriate usernames. 2) It enables unprivileged users to collect IP addresses of account creators through misconfigured or malicious edit filters, representing a privacy concern (Phabricator).

The issue was fixed in MediaWiki versions 1.35.2 and later by modifying how AbuseFilter handles blocking during account creation. The fix ensures that both the account and the IP address are properly blocked when an abuse filter is triggered (NVD, Phabricator).