CVE-2024-40596: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The Special:Investigate feature can expose suppressed information for log events. The vulnerability exists because TimelineService does not support properly suppressing log events. This issue was discovered in January 2023 and was assigned CVE-2024-40596 (NVD, Phabricator).

The vulnerability stems from the CheckUser extension's inability to properly handle suppressed log events in the TimelineService component. The core issue is that CheckUser does not store the log ID, which is necessary to look up the revision deletion status. This technical limitation means that checkusers who do not have oversight permissions can access oversighted logs (Phabricator). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability allows users with CheckUser permissions but without oversight permissions to access suppressed log information that should be restricted. This represents an information disclosure vulnerability that could potentially expose sensitive or private information that was intentionally suppressed (Phabricator).

The issue has been fixed by implementing support for storing log IDs and properly checking suppression status in the TimelineService component. The fix was merged in May 2024 and includes updates to the TimelineRowFormatter and the addition of read new support to the TimelineService (Phabricator).