Cyber Resilience

CVE-2023-48241

High

Published: 20 November 2023

Published
20 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.6919 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48241 is a high-severity Improper Authorization (CWE-285) vulnerability in Xwiki Xwiki. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki Platform versions from 6.3-milestone-2 through 14.10.14, 15.5, and 15.6RC0 contain an information disclosure vulnerability in the Solr-based search suggestion provider. This component also functions as a generic JavaScript API for search results and, by default, is accessible without authentication. The flaw allows any user to retrieve document contents across all wikis by requesting specific Solr fields that bypass the normal rights-check logic, exposing nearly all stored data except protected items such as password hashes.

An unauthenticated attacker can exploit the issue over the network by crafting direct Solr queries that omit the fields used for access-control verification. Successful exploitation yields read access to the full text of every document in every wiki instance, resulting in a CVSS 7.5 confidentiality impact with no requirement for user interaction or privileges.

The XWiki security advisory and associated commits state that the vulnerability is resolved in 14.10.15, 15.5.1, and 15.6RC1 by ensuring that only documents whose rights can be verified are returned in results; no workarounds are documented. The EPSS score has reached 0.69 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of…

more

all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked. No known workarounds are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
6.3 · 6.4 — 14.10.5 · 15.0 — 15.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285

The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

addresses: CWE-285

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

addresses: CWE-285

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

addresses: CWE-285

The control explicitly requires authorization of each wireless access type prior to permitting connections.

addresses: CWE-285

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

addresses: CWE-285

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

References