CVE-2022-41766: 
NixOS vulnerability analysis and mitigation

CVE-2022-41766 is a security vulnerability discovered in MediaWiki versions before 1.35.8, 1.36.x and 1.37.x before 1.37.5, and 1.38.x before 1.38.3. The vulnerability allows information disclosure where upon an action=rollback operation, the alreadyrolled message can leak a user name that has been revision deleted/suppressed (NVD, Phabricator).

The vulnerability exists in MediaWiki's rollback functionality. When performing a rollback action through action=rollback, if a user has been revision deleted or suppressed, the system would still display their username in the 'alreadyrolled' message, effectively leaking sensitive information that should have been hidden. The issue has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability leads to information disclosure, specifically exposing usernames that have been intentionally hidden through revision deletion or suppression. This could compromise user privacy and potentially reveal sensitive information that was meant to be redacted from the system (Phabricator).

The vulnerability has been patched in MediaWiki versions 1.35.8, 1.37.5, and 1.38.3. The fix involves hiding suppressed users from the rollback page error messages. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Phabricator).