Описание
The WikiManager REST API allows any user to create wikis
Impact
Any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager.
Patches
The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Workarounds
There's no workaround other than upgrading the dependency.
References
- JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22490
- Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Attribution
You can specify here who reported the issue.
Пакеты
org.xwiki.platform:xwiki-platform-wiki-rest-default
>= 5.4-rc-1, < 15.10.15
15.10.15
org.xwiki.platform:xwiki-platform-wiki-rest-default
>= 16.0.0-rc-1, < 16.4.6
16.4.6
org.xwiki.platform:xwiki-platform-wiki-rest-default
>= 16.5.0-rc-1, < 16.10.0
16.10.0
Связанные уязвимости
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Уязвимость компонента org.xwiki.platform:xwiki-platform-wiki-rest-default платформы создания совместных веб-приложений XWiki Platform, позволяющая нарушителю повысить свои привилегии