CVE-2024-40596 – The CheckUser extension for MediaWiki has a vul... (How to Fix)

Q: What is the severity of CVE-2024-40596?

CVE-2024-40596 has a CVSS score of 4.3 (MEDIUM). The CheckUser extension for MediaWiki has a vulnerability where the Special:Investigate feature can expose suppressed log event information that should remain hidden. This affects MediaWiki administrators and users with CheckUser privileges who can access sensitive suppressed data. The issue occurs because TimelineService doesn't properly handle suppression of sensitive information.

📋 TL;DR

The CheckUser extension for MediaWiki has a vulnerability where the Special:Investigate feature can expose suppressed log event information that should remain hidden. This affects MediaWiki administrators and users with CheckUser privileges who can access sensitive suppressed data. The issue occurs because TimelineService doesn't properly handle suppression of sensitive information.

💻 Affected Systems

Products:

MediaWiki with CheckUser extension

Versions: MediaWiki through 1.42.1 with CheckUser extension

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the CheckUser extension enabled and users with CheckUser privileges.

📦 What is this software?

Mediawiki by Mediawiki

View all CVEs affecting Mediawiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized disclosure of sensitive suppressed information including private user data, administrative actions, or security-related logs that should remain confidential.

🟠

Likely Case

Privileged users inadvertently or intentionally viewing suppressed log information that should be restricted, potentially violating privacy policies or exposing sensitive administrative actions.

🟢

If Mitigated

Limited exposure to authorized administrators only, with proper access controls and auditing preventing widespread data disclosure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires CheckUser privileges to access the Special:Investigate feature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CheckUser extension version with fix for T326866

Vendor Advisory: https://phabricator.wikimedia.org/T326866

Restart Required: No

Instructions:

Update MediaWiki to latest version
Update CheckUser extension to patched version
Clear caches if necessary

🔧 Temporary Workarounds

Disable CheckUser extension

all

Temporarily disable the CheckUser extension to prevent exploitation

Edit LocalSettings.php and comment out or remove wfLoadExtension('CheckUser');

Restrict CheckUser privileges

all

Temporarily remove CheckUser privileges from non-essential users

Edit LocalSettings.php to modify $wgGroupPermissions array for 'checkuser' group

🧯 If You Can't Patch

Restrict access to Special:Investigate feature to only essential administrators
Implement additional logging and monitoring for CheckUser feature usage

🔍 How to Verify

Check if Vulnerable:

Check if MediaWiki version is 1.42.1 or earlier with CheckUser extension enabled and Special:Investigate feature accessible

Check Version:

Check MediaWiki version via Special:Version page or $wgVersion in LocalSettings.php

Verify Fix Applied:

Verify CheckUser extension has been updated to version containing fix for T326866 and test Special:Investigate feature

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Special:Investigate
Multiple suppressed log view events
CheckUser feature usage by non-standard users

Network Indicators:

HTTP requests to /wiki/Special:Investigate endpoint

SIEM Query:

source="mediawiki_logs" AND (uri_path="/wiki/Special:Investigate" OR action="investigate")

📊 Metadata

CVE ID: CVE-2024-40596

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-532

Published: July 7, 2024

Last Updated: March 18, 2025

🔗 References

https://phabricator.wikimedia.org/T326866 Issue Tracking
https://phabricator.wikimedia.org/T326866 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40596, you might also want to check these: