CVE-2023-45364: 
NixOS vulnerability analysis and mitigation

An issue was discovered in includes/page/Article.php in MediaWiki 1.36.x through 1.39.x before 1.39.5 and 1.40.x before 1.40.1. The vulnerability involves incorrect permissions being checked, which leads to deleted revision existence being leaked. This vulnerability was disclosed in October 2023 and affects MediaWiki installations running vulnerable versions (NVD).

The vulnerability stems from improper permission checks in the Article.php file. When these incorrect permissions are checked, it reveals that a given revision ID belonged to a specific page title, along with its timestamp - information that should not be publicly accessible. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating it is network accessible, requires low attack complexity, and primarily impacts confidentiality (NVD).

The vulnerability results in information disclosure where an attacker can learn about the existence of deleted revisions, including their timestamps and association with specific page titles. This information is intended to be private and not accessible to the public, representing a breach of the system's intended security model (NVD).

The vulnerability has been fixed in MediaWiki versions 1.39.5 and 1.40.1. Users running affected versions should upgrade to these patched versions or later. For Debian users, fixes have been released in version 1:1.35.13-1~deb11u1 for the oldstable distribution (bullseye) and version 1:1.39.5-1~deb12u1 for the stable distribution (bookworm) (Debian Security).