Moderate severityNVD Advisory· Published Oct 25, 2023· Updated Sep 17, 2024

org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents

CVE-2023-37911

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as deleted:1 (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 9.4-rc-1, < 14.10.8	14.10.8
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 15.0-rc-1, < 15.3-rc-1	15.3-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 9.4-rc-1, < 14.10.8

Patches

f471f2a392ae

XWIKI-20685: Check access on the revision provider in the script API

https://github.com/xwiki/xwiki-platformMichael HamannApr 4, 2023via ghsa

commit

4 files changed · +101 −7

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java+12 −4 modified

@@ -31,6 +31,7 @@
 import java.util.Vector;
 
 import org.apache.commons.fileupload.FileItem;
+import org.apache.commons.lang.exception.ExceptionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,6 +53,7 @@
 import org.xwiki.rendering.block.XDOM;
 import org.xwiki.rendering.parser.ParseException;
 import org.xwiki.rendering.syntax.Syntax;
+import org.xwiki.security.authorization.AuthorizationException;
 import org.xwiki.security.authorization.Right;
 import org.xwiki.stability.Unstable;
 import org.xwiki.user.CurrentUserReference;
@@ -3165,20 +3167,26 @@ public void rename(DocumentReference newReference, List<DocumentReference> backl
      * Allow to easily access any revision of a document
      *
      * @param revision the version to access
-     * @return the document corresponding to the requested revision or {@code null} if the revision does not exist.
+     * @return the document corresponding to the requested revision or {@code null} if the revision does not exist or
+     * access is denied.
      */
     public Document getDocumentRevision(String revision)
     {
         try {
-            XWikiDocument documentRevision = getDocumentRevisionProvider().getRevision(this.doc, revision);
+            DocumentRevisionProvider revisionProvider = getDocumentRevisionProvider();
+            revisionProvider.checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, getDocumentReference(), revision);
+            XWikiDocument documentRevision = revisionProvider.getRevision(this.doc, revision);
 
             return documentRevision != null ? new Document(documentRevision, this.context) : null;
+        } catch (AuthorizationException e) {
+            LOGGER.info("Access denied for loading revision [{}] of document [{}]: [{}]", revision,
+                getDocumentReferenceWithLocale(), ExceptionUtils.getRootCauseMessage(e));
         } catch (Exception e) {
             LOGGER.error("Failed to load revision [{}] of document [{}]", revision, getDocumentReferenceWithLocale(),
                 e);
-
-            return null;
         }
+
+        return null;
     }
 
     /**

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/XWiki.java+8 −1 modified

@@ -46,8 +46,10 @@
 import org.xwiki.model.reference.WikiReference;
 import org.xwiki.rendering.renderer.PrintRendererFactory;
 import org.xwiki.rendering.syntax.Syntax;
+import org.xwiki.security.authorization.AuthorizationException;
 import org.xwiki.security.authorization.ContextualAuthorizationManager;
 import org.xwiki.security.authorization.Right;
+import org.xwiki.user.CurrentUserReference;
 
 import com.xpn.xwiki.XWikiContext;
 import com.xpn.xwiki.XWikiException;
@@ -658,12 +660,17 @@ public Document getDocument(DocumentReference reference, String revision) throws
     {
         try {
             if (reference != null && getContextualAuthorizationManager().hasAccess(Right.VIEW, reference)) {
-                XWikiDocument documentRevision = getDocumentRevisionProvider().getRevision(reference, revision);
+                DocumentRevisionProvider revisionProvider = getDocumentRevisionProvider();
+                revisionProvider.checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, reference, revision);
+                XWikiDocument documentRevision = revisionProvider.getRevision(reference, revision);
 
                 if (documentRevision != null) {
                     return new Document(documentRevision, this.context);
                 }
             }
+        } catch (AuthorizationException e) {
+            LOGGER.info("Access denied for loading revision [{}] of document [{}]: [{}]", revision, reference,
+                ExceptionUtils.getRootCauseMessage(e));
         } catch (Exception e) {
             LOGGER.error("Failed to access revision [{}] of document {}", revision, reference, e);
         }

xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/api/DocumentTest.java+39 −0 modified

@@ -22,15 +22,21 @@
 import java.util.List;
 
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.xwiki.component.manager.ComponentLookupException;
 import org.xwiki.component.util.DefaultParameterizedType;
 import org.xwiki.model.document.DocumentAuthors;
 import org.xwiki.model.internal.document.SafeDocumentAuthors;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.model.reference.ObjectReference;
 import org.xwiki.observation.ObservationManager;
+import org.xwiki.security.authorization.AuthorizationException;
 import org.xwiki.security.authorization.AuthorizationManager;
 import org.xwiki.security.authorization.Right;
+import org.xwiki.test.LogLevel;
+import org.xwiki.test.junit5.LogCaptureExtension;
 import org.xwiki.test.junit5.mockito.MockComponent;
 import org.xwiki.test.mockito.MockitoComponentManager;
 import org.xwiki.user.CurrentUserReference;
@@ -39,6 +45,7 @@
 
 import com.xpn.xwiki.XWikiContext;
 import com.xpn.xwiki.XWikiException;
+import com.xpn.xwiki.doc.DocumentRevisionProvider;
 import com.xpn.xwiki.doc.XWikiDocument;
 import com.xpn.xwiki.objects.BaseObject;
 import com.xpn.xwiki.objects.BaseProperty;
@@ -56,6 +63,7 @@
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.ArgumentMatchers.same;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
@@ -74,6 +82,9 @@ class DocumentTest
     @MockComponent
     private ObservationManager observationManager;
 
+    @RegisterExtension
+    private LogCaptureExtension logCapture = new LogCaptureExtension(LogLevel.INFO);
+
     @Test
     void toStringReturnsFullName()
     {
@@ -390,4 +401,32 @@ void getAuthors()
         verify(mockAuthorizationManager, times(2)).hasAccess(Right.PROGRAM, userReference, currentDocReference);
         verify(currentDoc).clone();
     }
+
+    @ParameterizedTest
+    @ValueSource(booleans = { false, true })
+    void getDocumentRevision(boolean allowAccess, MockitoComponentManager componentManager) throws Exception
+    {
+        DocumentReference documentReference = new DocumentReference("Wiki", "Space", "Page");
+        XWikiDocument xWikiDocument = new XWikiDocument(documentReference);
+        Document document = new Document(xWikiDocument, this.oldcore.getXWikiContext());
+        DocumentRevisionProvider revisionProvider =
+            componentManager.registerMockComponent(DocumentRevisionProvider.class);
+        String revision = "42.1";
+        XWikiDocument revisionDocument = mock(XWikiDocument.class);
+        when(revisionProvider.getRevision(xWikiDocument, revision)).thenReturn(revisionDocument);
+        String deniedMessage = "Denied";
+        if (!allowAccess) {
+            doThrow(new AuthorizationException(deniedMessage)).when(revisionProvider)
+                .checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, documentReference, revision);
+            assertNull(document.getDocumentRevision(revision));
+            assertEquals(1, this.logCapture.size());
+            assertEquals(String.format("Access denied for loading revision [%s] of document [%s()]: "
+                    + "[AuthorizationException: %s]", revision,
+                documentReference, deniedMessage), this.logCapture.getMessage(0));
+        } else {
+            assertEquals(new Document(revisionDocument, this.oldcore.getXWikiContext()),
+                document.getDocumentRevision(revision));
+        }
+        verify(revisionProvider).checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, documentReference, revision);
+    }
 }

xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/api/XWikiTest.java+42 −2 modified

@@ -23,17 +23,23 @@
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.observation.ObservationManager;
 import org.xwiki.rendering.renderer.PrintRendererFactory;
 import org.xwiki.rendering.syntax.Syntax;
+import org.xwiki.security.authorization.AuthorizationException;
+import org.xwiki.security.authorization.ContextualAuthorizationManager;
+import org.xwiki.security.authorization.Right;
 import org.xwiki.test.junit5.mockito.MockComponent;
 import org.xwiki.test.mockito.MockitoComponentManager;
 import org.xwiki.user.CurrentUserReference;
 import org.xwiki.user.UserReferenceResolver;
 
 import com.xpn.xwiki.XWikiContext;
 import com.xpn.xwiki.XWikiException;
+import com.xpn.xwiki.doc.DocumentRevisionProvider;
 import com.xpn.xwiki.doc.XWikiDocument;
 import com.xpn.xwiki.doc.XWikiDocumentArchive;
 import com.xpn.xwiki.test.MockitoOldcore;
@@ -45,6 +51,9 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 /**
@@ -56,6 +65,8 @@
 @ReferenceComponentList
 public class XWikiTest
 {
+    private static final DocumentReference DOCUMENT_REFERENCE = new DocumentReference("xwiki", "MilkyWay", "Fidis");
+
     @MockComponent
     private UserReferenceResolver<CurrentUserReference> currentUserReferenceUserReferenceResolver;
 
@@ -78,8 +89,7 @@ public void setup(MockitoOldcore mockitoOldcore) throws XWikiException
             .thenReturn(new XWikiDocumentArchive());
 
         xWikiContext.setUser("Redtail");
-        this.apiDocument =
-            new Document(new XWikiDocument(new DocumentReference("xwiki", "MilkyWay", "Fidis")), xWikiContext);
+        this.apiDocument = new Document(new XWikiDocument(DOCUMENT_REFERENCE), xWikiContext);
         this.apiDocument.getDocument().setCreator("c" + xWikiContext.getUser());
         this.apiDocument.getDocument().setAuthor("a" + xWikiContext.getUser());
         this.apiDocument.save();
@@ -134,4 +144,34 @@ public void getAvailableRendererSyntax(MockitoComponentManager componentManager)
         assertNull(this.apiXWiki.getAvailableRendererSyntax("plai", "1.0"));
         assertNull(this.apiXWiki.getAvailableRendererSyntax("plai", null));
     }
+
+    @ParameterizedTest
+    @ValueSource(booleans = { false, true })
+    void getDocumentRevision(boolean allowAccess, MockitoOldcore mockitoOldcore) throws Exception
+    {
+        DocumentRevisionProvider revisionProvider =
+            mockitoOldcore.getMocker().registerMockComponent(DocumentRevisionProvider.class);
+        ContextualAuthorizationManager contextualAuthorizationManager =
+            mockitoOldcore.getMockContextualAuthorizationManager();
+
+        XWikiDocument deletedDocument = new XWikiDocument(DOCUMENT_REFERENCE);
+        deletedDocument.setContent("Deleted");
+        String revision = "deleted:1";
+        when(revisionProvider.getRevision(DOCUMENT_REFERENCE, revision)).thenReturn(deletedDocument);
+
+        when(contextualAuthorizationManager.hasAccess(Right.VIEW, DOCUMENT_REFERENCE)).thenReturn(true);
+
+        if (!allowAccess) {
+            doThrow(new AuthorizationException("Denied")).when(revisionProvider)
+                .checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, DOCUMENT_REFERENCE, revision);
+            assertNull(this.apiXWiki.getDocument(DOCUMENT_REFERENCE, revision));
+        } else {
+            assertEquals(new Document(deletedDocument, mockitoOldcore.getXWikiContext()),
+                this.apiXWiki.getDocument(DOCUMENT_REFERENCE, revision));
+        }
+
+        verify(revisionProvider, times(allowAccess ? 1 : 0)).getRevision(DOCUMENT_REFERENCE, revision);
+        verify(revisionProvider).checkAccess(Right.VIEW, CurrentUserReference.INSTANCE, DOCUMENT_REFERENCE, revision);
+        verify(contextualAuthorizationManager).hasAccess(Right.VIEW, DOCUMENT_REFERENCE);
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gh64-qxh5-4m33ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-37911ghsaADVISORY
extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Applicationghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523fghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20684ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-20685ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-20817ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000