Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4f8g-fq6x-jqrr: org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents

Impact

Rights added to a document are not taken into account for viewing it once it’s deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked.

Patches

The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.

Workarounds

There is no workaround for this vulnerability other than upgrading.

References

  • Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285
  • Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#git#java#perl#jira#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-29208

org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents

High severity GitHub Reviewed Published Apr 12, 2023 in xwiki/xwiki-platform • Updated Apr 12, 2023

Package

maven org.xwiki.platform:xwiki-platform-oldcore (Maven)

Affected versions

>= 1.2-milestone-1, < 13.10.11

>= 14.0-rc-1, < 14.4.7

>= 14.5, < 14.10

Patched versions

13.10.11

14.4.7

14.10

Published to the GitHub Advisory Database

Apr 12, 2023

Last updated

Apr 12, 2023

Related news

CVE-2023-29208: XWIKI-16285: Error when accessing deleted document · xwiki/xwiki-platform@d9e9475

XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.

ghsa: Latest News

GHSA-8gc2-vq6m-rwjw: Amazon Redshift Python Connector vulnerable to SQL Injection