-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-security-authorization-bridge | maven | >= 16.10.0-rc-1, < 16.10.4 | 16.10.4 |
| org.xwiki.platform:xwiki-platform-security-authorization-bridge | maven | >= 17.0.0-rc-1, < 17.1.0-rc-1 | 17.1.0-rc-1 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability allows a user with edit rights to set a 'required right' (like programming right) on a document even if they don't possess that right themselves. This was due to a NullPointerException in the checkModifiedRequiredRights method within RightsFilterListener.java. When a user attempted to add a new required right they didn't have, and the scope of that right was null, an AccessDeniedException was correctly thrown by this.authorization.checkAccess. However, in the catch block for this exception, the code requiredRight.scope().getLowerCase() would cause an NPE if scope was null. This NPE could disrupt the subsequent event.cancel() call, effectively bypassing the security check and allowing the malicious change. The patch fixes this by changing requiredRight.scope().getLowerCase() to requiredRight.scope(), which handles null scope gracefully in the string formatting, ensuring event.cancel() is properly called. The primary vulnerable function is checkModifiedRequiredRights where the flawed logic and the fix reside. The onEvent method is also relevant as it's the entry point that calls checkModifiedRequiredRights.
Ongoing coverage of React2Shell