This vulnerability allows unauthorized access to wiki-level attachments and metadata via XWiki’s REST API. The flaw occurs due to insufficient authorization checks in the `/wikis/{wikiName}/attachments` endpoint. When a request is made, the API fails to validate user permissions, exposing attachment metadata (e.g., filenames, upload dates, sizes) to unauthenticated users—even in private wikis.
Affected versions return attachment lists without filtering based on access rights. For example, a `GET /wikis/privatewiki/attachments/Document/` request leaks metadata despite the wiki being restricted. The issue stems from missing `view` right validation before serializing attachment data in the REST response.
DailyCVE Form:
Platform: XWiki
Version: 1.8.1 to 16.7.0
Vulnerability: Missing Authorization
Severity: Moderate
Date: 2025-04-30
What Undercode Say:
Exploit:
1. Use `curl` to fetch metadata:
curl -X GET "http://target/xwiki/rest/wikis/privatewiki/attachments/Document/"
2. Script to enumerate attachments:
import requests
response = requests.get("http://target/xwiki/rest/wikis/{wiki}/attachments/{doc}")
print(response.json())
Mitigation:
- Upgrade to patched versions (14.10.22, 15.10.12, 16.4.3, or 16.7.0).
2. Apply REST API access control:
<!-- xwiki.cfg --> rest.requireAuthentication=true
3. Network-level restrictions:
location /xwiki/rest/wikis/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Detection:
1. Audit logs for unauthorized REST access:
grep "GET /rest/wikis.attachments" xwiki.log
2. Validate permissions with:
@Component
@Singleton
public class SecureAttachmentResource implements AttachmentResource {
@Override
public Response getAttachments(String wikiName, String documentName) {
if (!authorization.hasAccess("view", documentName)) {
return Response.status(403).build();
}
// Proceed
}
}
Analytics:
- Impact: Data exposure (filenames, upload patterns).
- Attack Vector: Low-complexity HTTP requests.
- Patch Priority: High for private wikis.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
