XWiki LESS Compiler Rights Management Vulnerability Allowing Unauthorized Cache Clearing

A vulnerability exists in the XWiki LESS compiler script API, specifically in versions 6.1-milestone-1 prior to 15.10.12, 16.0.0-rc-1 prior to 16.4.3, and 16.5.0-rc-1 prior to 16.8.0-rc-1. The issue arises because the script API improperly verifies rights when invoking the cache cleaning API. This flaw enables cache clearing without the necessary programming rights. While this vulnerability could lead to a performance degradation as caches are emptied and then replenished, its overall impact is minimal. This is because it requires script rights to exploit, and those rights already permit unrestricted script execution, which could cause a similar performance impact.

Impact

Exploitation of this vulnerability can lead to an unnecessary performance slowdown in XWiki, as the cache is cleared and then needs to be rebuilt. However, this vulnerability's impact is considered low, given that it requires script rights to exploit, and those rights already allow unlimited execution of scripts, which could similarly affect performance.

Reproduction

The vulnerability can be reproduced by using the LESS compiler script API to clear the cache without having the required programming rights. This can be done by a user with script rights, as the vulnerability allows them to bypass the normal rights management and perform the cache clearing operation. Once the cache is cleared, XWiki will experience a slowdown as the caches are emptied and then need to be refilled, impacting the application's performance.

Remediation

Users can upgrade to XWiki versions 15.10.12, 16.4.3, or 16.8.0-rc-1, where this vulnerability has been patched.