Bug 2163610 (CVE-2022-39193)

Summary: CVE-2022-39193 mediawiki: Edits with the performer suppressed still show the performer in results from the CheckUser extension
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-26 06:22:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2163611    
Bug Blocks: 2163519    

Description Avinash Hanwate 2023-01-24 04:32:21 UTC 
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.x. Various components of this extension can expose information on the performer of edits and logged actions. This information should not allow public viewing: it is supposed to be viewable only by users with checkuser access.

https://phabricator.wikimedia.org/T311337
Comment 1 Avinash Hanwate 2023-01-24 04:32:47 UTC 
Created mediawiki tracking bugs for this issue:

Affects: fedora-all [bug 2163611]
Comment 2 Product Security DevOps Team 2023-01-26 06:22:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39193