CVE-2022-23621
Summary
| CVE | CVE-2022-23621 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-02-09 22:15:00 UTC |
| Updated | 2023-07-13 16:08:00 UTC |
| Description | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right. |
Risk And Classification
Problem Types: CWE-552 | CWE-862
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [XWIKI-18870] LFI on XWIKI through $xwiki.invokeServletAndReturnAsString - XWiki.org JIRA | MISC | jira.xwiki.org | |
| XWIKI-18870: Unexpected behavior of XWiki#invokeServletAndReturnAsString · xwiki/xwiki-platform@df8bd49 · GitHub | MISC | github.com | |
| It's possible to read any file from the WAR with just SCRIPT right through $xwiki.invokeServletAndReturnAsString · Advisory · xwiki/xwiki-platform · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.