Impact
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
You get a list of attachments, while the expected result should be an empty list.
Patches
This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.
Workarounds
We're not aware of any workaround except upgrading.
References
For more information
If you have any questions or comments about this advisory:
Attribution
Issue reported by Lukas Monert.
Impact
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
You get a list of attachments, while the expected result should be an empty list.
Patches
This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.
Workarounds
We're not aware of any workaround except upgrading.
References
For more information
If you have any questions or comments about this advisory:
Attribution
Issue reported by Lukas Monert.