An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain fast double move situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but its only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mediawiki | Mediawiki | * | 1.31.12 (excluding) |
| Mediawiki | Mediawiki | 1.32.0 (including) | 1.35.2 (excluding) |
| Mediawiki | Ubuntu | devel | * |
| Mediawiki | Ubuntu | esm-apps/focal | * |
| Mediawiki | Ubuntu | esm-apps/jammy | * |
| Mediawiki | Ubuntu | esm-apps/noble | * |
| Mediawiki | Ubuntu | focal | * |
| Mediawiki | Ubuntu | groovy | * |
| Mediawiki | Ubuntu | hirsute | * |
| Mediawiki | Ubuntu | impish | * |
| Mediawiki | Ubuntu | jammy | * |
| Mediawiki | Ubuntu | kinetic | * |
| Mediawiki | Ubuntu | lunar | * |
| Mediawiki | Ubuntu | mantic | * |
| Mediawiki | Ubuntu | noble | * |
| Mediawiki | Ubuntu | oracular | * |
| Mediawiki | Ubuntu | trusty | * |
| Mediawiki | Ubuntu | upstream | * |