Incomplete Cleanup Affecting org.xwiki.platform:xwiki-platform-core package, versions [2.0,14.10.7) [15.0-rc-1,15.2-rc-1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-5747792
- published 30 Jun 2023
- disclosed 30 Jun 2023
- credit Unknown
Introduced: 30 Jun 2023
CVE-2023-36468 Open this link in a new tabHow to fix?
Upgrade org.xwiki.platform:xwiki-platform-core to version 14.10.7, 15.2-rc-1 or higher.
Overview
Affected versions of this package are vulnerable to Incomplete Cleanup. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version.
Note:
This vulnerability doesn't affect freshly installed versions of XWiki. Further, this vulnerability doesn't affect content that is only loaded from the current version of a document like the code of wiki macros or UI extensions.
Workaround
As a workaround, admins can manually delete old revisions of affected documents. A script could be used to identify all installed documents and delete the history for them. However, also manually added and later corrected code may be affected by this vulnerability so it is easy to miss documents.