Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22325

CVE-2024-21650 - Not Patch in 16.5.0

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Major
    • None
    • 16.5.0
    • User - User Profile
    • xwiki:16.5.0-mysql-tomcat image on RHEL8 Podman, behind Nginx version 1.26.1 reverse proxy
    • Unknown
    • N/A
    • N/A

    Description

      Hello,

      We have a self-hosted instance of Xwiki, version 16.5.0 pulled from Docker Hub that appears to be susceptible to the known vulnerability addressed in CVE-2024-21650 and https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229

      We appear to have unauthenticated users successfully creating accounts on the wiki, even though self-registration is disabled. See the attached screenshot. Perhaps we have something misconfigured? This instance has been upgraded from 13.x, to 14.x, 25.x and now 16.10.5.

      Attachments

        Activity

          People

            surli Simon Urli
            sdungan Scott Dungan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: