XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests
Description
Impact
XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.
Patches
The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.
Workarounds
The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.
### Resources * https://jira.xwiki.org/browse/XWIKI-23875 * https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 6.2.1, < 16.10.17 | 16.10.17 |
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 17.0.0-rc-1, < 17.4.9 | 17.4.9 |
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 17.5.0-rc-1, < 17.10.3 | 17.10.3 |
Affected products
2- Range: >= 17.5.0-rc-1, < 17.10.3
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.