CVE-2022-39193: 
NixOS vulnerability analysis and mitigation

CVE-2022-39193 is a security vulnerability discovered in the CheckUser extension for MediaWiki through version 1.39.x. The vulnerability allows various components of the extension to expose information about the performer of edits and logged actions that should only be visible to users with suppression rights (CVE Mitre, Phabricator).

The vulnerability exists in the CheckUser extension's handling of suppressed usernames, where the system fails to properly validate user permissions when displaying performer information. The issue has a CVSS score of 5.1 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L), indicating a medium severity level with local access required and high privileges needed to exploit (ZDI Advisory).

When exploited, the vulnerability could allow CheckUser users without suppression rights to view suppressed performer information in edit results, potentially compromising the privacy protections intended by the suppression system (Phabricator).

The issue has been patched in the MediaWiki CheckUser extension. The fix involves proper validation of user permissions when displaying suppressed usernames in Special:CheckUser results. The patch has been deployed to Wikimedia production servers and backported to supported MediaWiki versions (Phabricator).