GHSA-r5cr-xm48-97xp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r5cr-xm48-97xp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-r5cr-xm48-97xp/GHSA-r5cr-xm48-97xp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r5cr-xm48-97xp
- Aliases
- Published
- 2025-04-30T16:49:47Z
- Modified
- 2025-05-05T17:50:17Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
- Details
-
Impact
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
- remove view from guest on the whole wiki
- logout
- access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
You get a list of attachments, while the expected result should be an empty list.
Patches
This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.
Workarounds
We're not aware of any workaround except upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-22424
- https://jira.xwiki.org/browse/XWIKI-22427
- https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342#diff-0
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
Attribution
Issue reported by Lukas Monert.
- Database specific
{ "github_reviewed_at": "2025-04-30T16:49:47Z", "cwe_ids": [ "CWE-862" ], "nvd_published_at": "2025-04-30T19:15:55Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
- https://nvd.nist.gov/vuln/detail/CVE-2025-46554
- https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
- https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
- https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
- https://github.com/xwiki/xwiki-platform
- https://jira.xwiki.org/browse/XWIKI-22424
- https://jira.xwiki.org/browse/XWIKI-22427
Affected packages
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server