发布时间: 2023年6月22日
修改时间: 2023年6月22日
ImpactAny user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.PatchesThe issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 WorkaroundsThere is no known workaround. It is advised to upgrade to one of the patched versions.Referenceshttps://jira.xwiki.org/browse/XWIKI-16138https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10edeFor more informationIf you have any questions or comments about this advisory:* Open an issue in Jira XWiki.org* Email us at Security Mailing List
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 7.5 | |
| Attack Vector | Network | |
| Attack Complexity | Low | |
| Privileges Required | None | |
| User Interaction | None | |
| Scope | Unchanged | |
| Confidentiality | High | |
| Integrity | None | |
| Availability | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2023-1419 | ImpactAny user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.PatchesThe issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 WorkaroundsThere is no known workaround. It is advised to upgrade to one of the patched versions.Referenceshttps://jira.xwiki.org/browse/XWIKI-16138https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10edeFor more informationIf you have any questions or comments about this advisory:* Open an issue in Jira XWiki.org* Email us at Security Mailing List | 2023年6月22日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | rest | Unaffected |
| KY3.4-5A | rest | Unaffected |
| KY3.5.1 | rest | Unaffected |
| KY3.5.2 | rest | Unaffected |
