Lucene search
GoogleOSV:GHSA-2JHM-QP48-HV5JHistoryFeb 09, 2022 - 9:56 p.m.
Missing authorization in xwiki-platform
2022-02-0921:56:05
Google
osv.dev
8
xwiki
authorization
security
.
EPSS
0.001
Percentile
41.4%
Impact
Any user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")
Patches
It has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.
Workarounds
The only workaround is to give SCRIPT right only to trusted users.
References
https://jira.xwiki.org/browse/XWIKI-18870
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at our security mailing list
Related
osv
osv
CVE-2022-23621
2022-02-09 22:15:07
cvelist
cvelist
CVE-2022-23621 Missing authorization in xwiki-platform
2022-02-09 21:25:11
openvas
openvas
XWiki LFI Vulnerability (GHSA-2jhm-qp48-hv5j)
2022-02-11 00:00:00
cve
cve
CVE-2022-23621
2022-02-09 22:15:07
prion
prion
Design/Logic Flaw
2022-02-09 22:15:00
nvd
nvd
CVE-2022-23621
2022-02-09 22:15:07
github
github
Missing authorization in xwiki-platform
2022-02-09 21:56:05