XWiki Platform Subwiki Information Disclosure Vulnerability via REST API

A vulnerability exists in XWiki Platform in subwikis using the 'Prevent unregistered users to view pages' setting, prior to versions 15.10.14, 16.4.6, and 16.10.0-rc-1. This issue allows unauthorized users to access private information through the REST API, or potentially another API, without credentials. The problem arises because the DefaultAuthorizationManager does not correctly set the wiki reference for subwikis, leading to improper access control. The vulnerability can be reproduced by enabling 'Prevent unregistered users to view pages' and attempting to access a protected page via the REST API as a guest user.

Impact

Exploitation of this vulnerability allows unauthorized access to private information on pages that should be restricted from unregistered users.

Reproduction

To reproduce this vulnerability, create a subwiki and a page within it. Then, navigate to the rights settings for that subwiki and enable 'Prevent unregistered users to view pages'. After setting this restriction, attempt to access the page through the REST API as a guest user. The expected response is a 401 authorization denied, but the vulnerability will be confirmed if the page information is accessible without credentials.

Remediation

Users can update to XWiki versions 15.10.14, 16.4.6, or 16.10.0-rc-1 to address this vulnerability.