Headline
GHSA-4f8g-fq6x-jqrr: org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
Impact
Rights added to a document are not taken into account for viewing it once it’s deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked.
Patches
The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.
Workarounds
There is no workaround for this vulnerability other than upgrading.
References
- Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285
- Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at security ML
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-29208
org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
High severity GitHub Reviewed Published Apr 12, 2023 in xwiki/xwiki-platform • Updated Apr 12, 2023
Package
maven org.xwiki.platform:xwiki-platform-oldcore (Maven)
Affected versions
>= 1.2-milestone-1, < 13.10.11
>= 14.0-rc-1, < 14.4.7
>= 14.5, < 14.10
Patched versions
13.10.11
14.4.7
14.10
Published to the GitHub Advisory Database
Apr 12, 2023
Last updated
Apr 12, 2023
Related news
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.