CVE-2023-29517: 
Java vulnerability analysis and mitigation

CVE-2023-29517 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in the office document viewer macro, which allowed unauthorized users to view any file content from the hosting server when the office server was connected. The access level depended on the permissions of the user running the servlet engine (e.g., tomcat) running XWiki. The vulnerability was patched in XWiki versions 13.10.11, 14.10.1, 14.4.8, and 15.0-rc-1 (GitHub Advisory).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The attack vector is network-based, with low attack complexity, requiring no privileges or user interaction. The vulnerability affects all versions after 2.5-milestone-2 and allows attackers to perform internal requests to resources from the hosting server (GitHub Advisory).

The vulnerability allows unauthorized users to access and view any file content from the hosting server that is accessible to the servlet engine user. Additionally, it enables attackers to perform internal requests to resources from the hosting server, potentially exposing sensitive system information and configurations (XWIKI-20324, XWIKI-20447).

The primary mitigation is to upgrade to the patched versions: XWiki 13.10.11, 14.10.1, 14.4.8, or 15.0-rc-1. A potential workaround involves running XWiki in a sandbox with a user having very low privileges on the machine, though this approach may not fully protect all files from access since the servlet engine user still requires access to certain files (GitHub Advisory).