CVE-2022-23615: 
Java vulnerability analysis and mitigation

CVE-2022-23615 is a security vulnerability discovered in XWiki Platform that affects versions 1.0 and later, patched in version 13.0. The vulnerability was disclosed on February 9, 2022. It allows any user with SCRIPT rights (or EDIT rights before XWiki 7.4) to save a document with elevated privileges if the current user has programming rights (GitHub Advisory).

The vulnerability is classified as a Moderate severity issue with a CVSS v3.1 score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). The issue stems from improper access control (CWE-284) where the system fails to properly check the author's rights when saving documents. When a user with SCRIPT rights saves a document while a user with programming rights is logged in, the document can be saved with elevated privileges, potentially leading to unauthorized access to programming right-restricted APIs (GitHub Advisory).

The vulnerability allows attackers to escalate their privileges by saving documents that execute with the rights of privileged users. This could lead to unauthorized access to sensitive APIs and potential system compromise. An attacker could create and execute scripts with Programming Rights if the content author has such privileges, effectively bypassing intended security controls (Jira XWiki).

The vulnerability has been patched in XWiki version 13.0. Before applying the patch, the only recommended workaround is to give SCRIPT rights only to trusted users. The fix includes a new configuration option 'security.script.save.checkAuthor' which controls whether the document save API should check the script author's rights when saving a document (GitHub Advisory).