GHSA-gq32-758c-3wm3

Опубликовано: 19 мар. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

XWiki uses the wrong wiki reference in AuthorizationManager

Impact

It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages".

It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials.

Patches

The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

Workarounds

There's no workaround.

References

JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22640
Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Ссылки

Пакеты

Наименование

org.xwiki.platform:xwiki-platform-security-authorization-api

maven

Затронутые версииВерсия исправления

>= 6.1-rc-1, < 15.10.14

15.10.14

Наименование

org.xwiki.platform:xwiki-platform-security-authorization-api

maven

Затронутые версииВерсия исправления

>= 16.0.0-rc-1, < 16.4.6

16.4.6

Наименование

org.xwiki.platform:xwiki-platform-security-authorization-api

maven

Затронутые версииВерсия исправления

>= 16.5.0-rc-1, < 16.10.0-rc-1

16.10.0-rc-1

EPSS

Процентиль: 18%

0.00056

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2025-29924

Дефекты

CWE-269

CWE-863

Связанные уязвимости

CVE-2025-29924

CVSS3: 7.5

nvd

11 месяцев назад

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

BDU:2025-03252

CVSS3: 7.5

fstec

11 месяцев назад

Уязвимость компонента org.xwiki.platform:xwiki-platform-security-authorization-api платформы создания совместных веб-приложений XWiki Platform, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 18%

0.00056

Низкий

8.7 High

CVSS4

7.5 High

CVSS3

CVE ID

CVE-2025-29924

Дефекты

CWE-269

CWE-863