CVE-2024-47849: 
NixOS vulnerability analysis and mitigation

A critical SQL Injection vulnerability (CVE-2024-47849) was discovered in The Wikimedia Foundation's MediaWiki Cargo extension. The vulnerability affects versions from 3.6.X before 3.6.1. This security flaw allows attackers to perform SQL injection attacks against the affected systems (NVD, CVE).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely with no privileges or user interaction required. Under CVSS v4.0, it received a score of 8.8 (HIGH) (NVD).

The vulnerability allows attackers to perform SQL injection attacks which could potentially lead to unauthorized access to database contents, modification of database data, and possible execution of administrative operations on the database. Given the CVSS scores, the impact is considered severe with potential for complete compromise of system confidentiality, integrity, and availability (NVD).

Users are advised to upgrade to MediaWiki Cargo version 3.6.1 or later which contains the fix for this vulnerability. A patch has been developed and is available through the Wikimedia Gerrit system (Gerrit Patch).