CVE-2025-55749
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| xwiki | xwiki-platform | >= 16.7.0, < 16.10.11 | affected |
| xwiki | xwiki-platform | >= 17.0.0-rc1, < 17.4.4 | affected |
| xwiki | xwiki-platform | >= 17.5.0, < 17.7.0 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9
- https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd
- https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10
- https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b…99a04a0e2143583f5154a43e02174155da7e8e10
- https://jira.xwiki.org/browse/XWIKI-23438
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.