XWiki
Easy fix4 remedies
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 16.7.0, <= 16.10.10
- 17.4.4
- 17.7.0
XWiki Jetty Package File Access Vulnerability
Vulnerability
Patched
A vulnerability in the XWiki Jetty package (XJetty) allows static access to any file in the webapp/ directory, including sensitive files that may contain credentials. This issue affects XWiki versions 16.7.0 prior to 16.10.11, 17.4.4, and 17.7.0.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive application files, such as configuration files that may contain credentials.
Reproduction
The vulnerability can be reproduced by deploying XWiki with the Jetty package using the default configuration. Once the application is running, files in the WEB-INF directory, such as xwiki.cfg, xwiki.properties, and hibernate.cfg.xml, can be accessed through the URL.
Remediation
Users can update to XWiki versions 16.10.11, 17.4.4, or 17.7.0 to address this vulnerability. For those using the Jetty package, it's recommended to modify the start_xwiki.sh script to set the JETTY_BASE variable to an absolute path, replacing the default relative path.
Added: Dec 1, 2025, 9:25 PM
Updated: Dec 1, 2025, 9:25 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
2.5exploitability
9.5remediation
8.3relevance
1.3threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.