摘要:
ImpactAny user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.PatchesThe issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 WorkaroundsThere is no known workaround. It is advised to upgrade to one of the patched versions.Referenceshttps://jira.xwiki.org/browse/XWIKI-16138https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10edeFor more informationIf you have any questions or comments about this advisory:* Open an issue in Jira XWiki.org* Email us at Security Mailing List
安全等级: Low
公告ID: KylinSec-SA-2023-1419
发布日期: 2023年6月22日
关联CVE: CVE-2023-35151
ImpactAny user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.PatchesThe issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 WorkaroundsThere is no known workaround. It is advised to upgrade to one of the patched versions.Referenceshttps://jira.xwiki.org/browse/XWIKI-16138https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10edeFor more informationIf you have any questions or comments about this advisory:* Open an issue in Jira XWiki.org* Email us at Security Mailing List
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-35151 | KY3.4-4A | rest | Unaffected |
| CVE-2023-35151 | KY3.4-5A | rest | Unaffected |
| CVE-2023-35151 | KY3.5.1 | rest | Unaffected |
| CVE-2023-35151 | KY3.5.2 | rest | Unaffected |
