CVE-2022-41935: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a sensitive information exposure vulnerability (CVE-2022-41935). The vulnerability was discovered in July 2022 and affected versions >= 12.10.11, >= 13.9-rc-1, and >= 13.4.4. The issue was patched in versions 14.6-rc-1, 13.10.8, and 14.4.3. This vulnerability allowed users without proper view permissions to deduce the existence and content of documents they shouldn't have access to (XWiki Advisory).

The vulnerability exists in the LiveTable feature where users without view rights could perform repeated queries to discover information about restricted documents. The issue has a CVSS v3.1 score of 5.3 (Moderate) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Through carefully crafted queries to the LiveTable results endpoint, an attacker could iteratively discover document content by using binary search techniques (XWiki Advisory).

The vulnerability allows unauthorized users to discover the existence and content of documents they don't have permission to view. Using binary search techniques, attackers could reconstruct title, content, and object fields of inaccessible documents. For a known alphabet of less than 128 characters, discovering a single character could be achieved with just 7 requests. The attack could be optimized using word frequency analysis to guess whole words, making content recovery potentially faster (XWiki Advisory).

The issue has been patched in XWiki versions 14.6RC1, 13.10.8, and 14.4.3. For affected versions (>= 12.10.11, >= 13.9-rc-1, and >= 13.4.4), users can manually apply the patch to the XWiki.LiveTableResultsMacros document or import a XAR archive of a patched version (XWiki Advisory).