XWiki Platform Solr search discloses password hashes of all users
Description
XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-search-solr-apiMaven | >= 7.2-milestone-2, < 14.10.15 | 14.10.15 |
org.xwiki.platform:xwiki-platform-search-solr-apiMaven | >= 15.0-rc-1, < 15.5.2 | 15.5.2 |
org.xwiki.platform:xwiki-platform-search-solr-apiMaven | >= 15.6-rc-1, < 15.7-rc-1 | 15.7-rc-1 |
Affected products
2- ghsa-coordsRange: >= 7.2-milestone-2, < 14.10.15
- Range: >= 7.2-milestone-2, < 14.10.15
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-p6cp-6r35-32mhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50719ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eeaghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-p6cp-6r35-32mhghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-21208ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.