Lucene search

PRIOn knowledge basePRION:CVE-2022-41935

HistoryNov 23, 2022 - 8:15 p.m.

Design/Logic Flaw

2022-11-2320:15:00

PRIOn knowledge base

www.prio-n.com

xwiki platform

security vulnerability

patched versions

livetable queries

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.9%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users without the right to view documents can deduce their existence by repeated Livetable queries. The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. As a workaround, The patch for the document XWiki.LiveTableResultsMacros can be manually applied or a XAR archive of a patched version can be imported, on versions 12.10.11, 13.9-rc-1, and 13.4.4. There are no known workarounds for this issue.

CPENameOperatorVersion
xwikige14.0.0
xwikilt14.4.3
xwikige12.10.11
xwikilt13.10.8
xwikieq14.4.4
xwikieq14.4.5

Name	Operator	Version
xwiki	ge	14.0.0
xwiki	lt	14.4.3
xwiki	ge	12.10.11
xwiki	lt	13.10.8
xwiki	eq	14.4.4
xwiki	eq	14.4.5

References

github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd

github.com/xwiki/xwiki-platform/security/advisories/GHSA-p2x4-6ghr-6vmq

jira.xwiki.org/browse/XWIKI-19999