CVE-2022-24819: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a security vulnerability (CVE-2022-24819) where guest users without proper viewing permissions could still access and list documents related to wiki users. The vulnerability was discovered and disclosed in April 2022, affecting versions prior to 12.10.11, 13.4.4, and 13.9-rc-1 (GitHub Advisory).

The vulnerability is classified as a Moderate severity issue with a CVSS v3.1 base score of 5.3 (MEDIUM). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U), with Low impact on confidentiality (C:L) and No impact on integrity (I:N) or availability (A:N). The vulnerability is categorized under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) (GitHub Advisory, NVD).

The vulnerability allows unauthorized access to user information, specifically enabling guest users to retrieve lists of wiki users and their associated fullnames through a publicly accessible URL, even when the wiki is configured as private. This represents a data leak that could expose sensitive user information (Jira Issue).

The vulnerability has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. Users are advised to upgrade to these or later versions as there is no known workaround for this security issue (GitHub Advisory).