CVE-2023-37911
org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents
Description
### Impact When a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. ### Patches This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. ### Workarounds The only workaround is to regularly [clean deleted documents](https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages) to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole. ### References * https://jira.xwiki.org/browse/XWIKI-20685 (root cause) * https://jira.xwiki.org/browse/XWIKI-20817 (exploitation via the diff feature) * https://jira.xwiki.org/browse/XWIKI-20684 (exploitation via the REST API) * https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
How to fix CVE-2023-37911
To remediate CVE-2023-37911, upgrade the affected package to a fixed version below.
- —upgrade to 14.10.8 or later
Is CVE-2023-37911 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.