CVE-2021-44858: 
NixOS vulnerability analysis and mitigation

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. The vulnerability, identified as CVE-2021-44858, allows attackers to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. This vulnerability was discovered in December 2021 and affects the undo feature through action=edit&undo= followed by action=mcrundo and action=mcrrestore actions (MediaWiki FAQ).

The vulnerability exploits the 'undo' feature (action=edit&undo=##&undoafter=###) which allowed attackers to view the contents of arbitrary revisions, regardless of their permissions. This vulnerability also extends to the 'mcrundo' and 'mcrrestore' actions. The issue affects all MediaWiki versions since 1.23.0 until 1.34.x, and 1.35.x, 1.36.x, 1.37.x before the security patches (MediaWiki FAQ).

The vulnerability allows unauthorized users to bypass read permissions and access private content on wikis that have at least one publicly accessible page through $wgWhitelistRead. This could lead to the exposure of sensitive or confidential information on private wikis (MediaWiki FAQ).

As an immediate mitigation, administrators can disable the vulnerable features by adding '$wgActions["mcrundo"] = false;' and '$wgActions["mcrrestore"] = false;' to their LocalSettings.php. For private wikis, additional settings '$wgWhitelistRead = [];' and '$wgWhitelistReadRegexp = [];' should be implemented. The permanent fix is available in MediaWiki versions 1.35.5, 1.36.3, and 1.37.1 (MediaWiki FAQ).

The vulnerability was discovered and reported by security researcher Dylsss, demonstrating the importance of community involvement in identifying security issues (MediaWiki FAQ).