CVE-2023-37911

org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.

XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. A partir de la versión 9.4-rc-1 y anteriores a las versiones 14.10.8 y 15.3-rc-1, cuando un documento se elimina y se vuelve a crear, es posible que los usuarios con derecho de visualización en el documento recreado pero no en el documento eliminado para ver el contenido del documento eliminado. Esta situación podría surgir cuando se agregaron derechos al documento eliminado. Esto se puede explotar a través de la función de diferenciación y, parcialmente, a través de la API REST mediante el uso de versiones como `deleted:1` (donde el número cuenta las eliminaciones en la wiki y, por lo tanto, se puede adivinar). Con derechos suficientes, el atacante también puede volver a crear el documento eliminado, ampliando así el alcance a cualquier documento eliminado siempre que el atacante tenga derecho de edición en la ubicación del documento eliminado. Esta vulnerabilidad se ha solucionado en XWiki 14.10.8 y 15.3 RC1 comprobando correctamente los derechos cuando se accede a revisiones eliminadas de un documento. El único workaround es limpiar periódicamente los documentos eliminados para minimizar la posible exposición. Se debe tener especial cuidado al eliminar documentos confidenciales que están protegidos individualmente (y no, por ejemplo, al colocarlos en un espacio protegido) o al eliminar un espacio protegido en su totalidad.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-07-10 CVE Reserved
2023-10-25 CVE Published
2024-09-17 CVE Updated
2024-09-17 First Exploit
2024-09-24 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (6)

URL	Tag	Source
https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages	Product

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-20684	2024-09-17
https://jira.xwiki.org/browse/XWIKI-20685	2024-09-17
https://jira.xwiki.org/browse/XWIKI-20817	2024-09-17

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f	2023-10-31
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33	2023-10-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				> 9.4 <= 14.10.8 Search vendor "Xwiki" for product "Xwiki" and version " > 9.4 <= 14.10.8"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				9.4 Search vendor "Xwiki" for product "Xwiki" and version "9.4"		rc1		Affected