Information Exposure Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [5.0-rc-1,14.10.19) [15.0-rc-1,15.5.4) [15.6-rc-1,15.9-rc-1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-6595863
- published 11 Apr 2024
- disclosed 10 Apr 2024
- credit Unknown
Introduced: 10 Apr 2024
CVE-2024-31464 Open this link in a new tabHow to fix?
Upgrade org.xwiki.platform:xwiki-platform-oldcore to version 14.10.19, 15.5.4, 15.9-rc-1 or higher.
Overview
org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.
Affected versions of this package are vulnerable to Information Exposure. An attacker can access the hash of a password by using the diff feature whenever the object storing the password is deleted.
Using that vulnerability, it's possible for an attacker to have access to the hash password of a user if the attacker has to edit the user's page.
This vulnerability impacts any extensions that might use passwords stored in xobjects, depending on the rights of those pages.
Workaround
Admins should ensure that the user pages are properly protected: the edit right shouldn't be allowed for other users than Admin and the owner of the profile (which is the default right).
PoC
Create a user
With Admin account, go to the user page in object editor, remove the user
xobjectand save
3)Perform a diff between last version and previous one