Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yamhtLXFwNDgtaHY1as0p2A
Missing authorization in xwiki-platform
Impact
Any user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")
Patches
It has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.
Workarounds
The only workaround is to give SCRIPT right only to trusted users.
References
https://jira.xwiki.org/browse/XWIKI-18870
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at our security mailing list
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yamhtLXFwNDgtaHY1as0p2A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 9 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
Identifiers: GHSA-2jhm-qp48-hv5j, CVE-2022-23621
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2jhm-qp48-hv5j
- https://github.com/xwiki/xwiki-platform/commit/df8bd49b5a4d87a427002c6535fb5b1746ff117a
- https://jira.xwiki.org/browse/XWIKI-18870
- https://nvd.nist.gov/vuln/detail/CVE-2022-23621
- https://github.com/advisories/GHSA-2jhm-qp48-hv5j
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-oldcore
Affected Version Ranges: < 12.10.9, >= 13.0.0, < 13.4.3, >= 13.6-rc-1, <= 13.6Fixed in: 12.10.9, 13.4.3, 13.7-rc-1