GHSA-r5cr-xm48-97xp
First published: Wed Apr 30 2025(Updated: )
### Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: * remove view from guest on the whole wiki * logout * access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/attachments You get a list of attachments, while the expected result should be an empty list. ### Patches This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3. ### Workarounds We're not aware of any workaround except upgrading. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Issue reported by Lukas Monert.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=16.5.0-rc-1<16.7.0 | 16.7.0 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=16.0.0-rc-1<16.4.3 | 16.4.3 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=15.0-rc-1<15.10.12 | 15.10.12 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=1.8.1<14.10.22 | 14.10.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
- https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
- https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
- https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
- https://jira.xwiki.org/browse/XWIKI-22424
- https://nvd.nist.gov/vuln/detail/CVE-2025-46554
- https://github.com/advisories/GHSA-r5cr-xm48-97xp (Advisory)
Frequently Asked Questions
What is the severity of GHSA-r5cr-xm48-97xp?
The severity of GHSA-r5cr-xm48-97xp is critical due to unauthorized access to metadata of any attachment.
How do I fix GHSA-r5cr-xm48-97xp?
To fix GHSA-r5cr-xm48-97xp, update the xwiki-platform-rest-server to one of the following versions: 16.7.0, 16.4.3, 15.10.12, or 14.10.22.
What systems are affected by GHSA-r5cr-xm48-97xp?
GHSA-r5cr-xm48-97xp affects xwiki-platform-rest-server versions between 14.10.22 and 16.7.0 inclusive.
Can unauthorized users exploit GHSA-r5cr-xm48-97xp?
Yes, unauthorized users can exploit GHSA-r5cr-xm48-97xp to access metadata in private wikis.
What type of vulnerability is GHSA-r5cr-xm48-97xp?
GHSA-r5cr-xm48-97xp is a vulnerability related to improper access control in the wiki attachment REST endpoint.
- agent/severity
- agent/weakness
- agent/source
- agent/type
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/event
- agent/references
- agent/last-modified-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r5cr-xm48-97xp
- alias/CVE-2025-46554
- agent/software-canonical-lookup
- agent/tags
- package-manager/maven