CVE-2022-23621: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services, was found to contain a vulnerability (CVE-2022-23621) where any user with SCRIPT right could read any file located in the XWiki WAR through XWiki#invokeServletAndReturnAsString function. The vulnerability was discovered in July 2021 and patched in versions 12.10.9, 13.4.3, and 13.7-rc-1 (GitHub Advisory).

The vulnerability allows users with SCRIPT right to access sensitive files within the XWiki WAR file by using the XWiki#invokeServletAndReturnAsString function. For example, an attacker could read sensitive configuration files like xwiki.cfg and xwiki.properties using the command $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg"). The vulnerability has been assigned a CVSS v3.1 base score of 6.0 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability allows unauthorized access to sensitive configuration files within the XWiki WAR file, potentially exposing critical system information such as superadmin passwords and other configuration details. This could lead to further system compromise and unauthorized access to protected resources (Jira Issue).

The vulnerability has been patched in XWiki versions 12.10.9, 13.4.3, and 13.7-rc-1. Users are strongly advised to upgrade to these versions or later. As a temporary workaround, administrators should limit SCRIPT rights to only trusted users (GitHub Advisory).