CVE-2022-47927: 
NixOS vulnerability analysis and mitigation

CVE-2022-47927 is a security vulnerability discovered in MediaWiki before versions 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. The vulnerability was disclosed on December 22, 2022, and affects the SQLite database file permissions during new installations. This security issue was considered low risk by the MediaWiki security team (Wikimedia Announce).

The vulnerability occurs when installing MediaWiki with a pre-existing data directory that has weak permissions. In such cases, the SQLite database files are created with file mode 0644 (world-readable), instead of the more secure 0600 permission. This affects new installations using SQLite as the database system (Phabricator).

The vulnerability allows local users on a shared host system to read the SQLite database files, potentially exposing sensitive information including password hashes, session information, IP addresses (if checkuser is installed), unencrypted 2FA codes, user preferences, deleted pages, and other private data stored in the database (Phabricator).

The issue has been fixed in MediaWiki versions 1.35.9, 1.38.5, and 1.39.1. For existing installations using SQLite on shared hosts, users should check the file permissions of their database files and modify them to prevent them from being readable by everyone. The fix ensures that new SQLite database files are created with proper permissions (Wikimedia Announce).