GHSA-2jhm-qp48-hv5j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2jhm-qp48-hv5j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2jhm-qp48-hv5j/GHSA-2jhm-qp48-hv5j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2jhm-qp48-hv5j
- Aliases
- Published
- 2022-02-09T21:56:05Z
- Modified
- 2023-11-01T04:57:58.397074Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- Missing authorization in xwiki-platform
- Details
-
Impact
Any user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")Patches
It has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.
Workarounds
The only workaround is to give SCRIPT right only to trusted users.
References
https://jira.xwiki.org/browse/XWIKI-18870
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at our security mailing list
- Database specific
{ "nvd_published_at": "2022-02-09T22:15:00Z", "cwe_ids": [ "CWE-552", "CWE-862" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-02-09T21:56:05Z" }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore