XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

Description

Impact

In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check (see, e.g., https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj). Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact.

Patches

This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1.

Workarounds

We're not aware of any workarounds except for upgrading.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-05-21 18:26:21 UTC
Updated
2025-05-21 19:41:20 UTC
GitHub reviewed
2025-05-21 18:26:21 UTC
NVD published
2025-05-21

EPSS Score

Score Percentile
4.88% 89.52%

CVSS Scores

Base score Version Severity Vector
4.8 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-285 Improper Authorization

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.xwiki.platform:xwiki-platform-security-authorization-bridge >= 16.10.0-rc-1, < 16.10.4 16.10.4
maven org.xwiki.platform:xwiki-platform-security-authorization-bridge >= 17.0.0-rc-1, < 17.1.0-rc-1 17.1.0-rc-1

References

cvelogic Threat Intelligence