Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22325

CVE-2024-21650 - Not Patch in 16.5.0

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Major
    • None
    • 16.5.0
    • User - User Profile
    • xwiki:16.5.0-mysql-tomcat image on RHEL8 Podman, behind Nginx version 1.26.1 reverse proxy
    • Unknown
    • N/A
    • N/A

    Description

      Hello,

      We have a self-hosted instance of Xwiki, version 16.5.0 pulled from Docker Hub that appears to be susceptible to the known vulnerability addressed in CVE-2024-21650 and https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229

      We appear to have unauthenticated users successfully creating accounts on the wiki, even though self-registration is disabled. See the attached screenshot. Perhaps we have something misconfigured? This instance has been upgraded from 13.x, to 14.x, 25.x and now 16.10.5.

      Attachments

        1. 16.5.0-exploit.jpg
          382 kB
          Scott Dungan
        2. rights.jpg
          233 kB
          Scott Dungan

        Activity

          People

            surli Simon Urli
            sdungan Scott Dungan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: