CVE-2023-36468: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a security vulnerability (CVE-2023-36468) that affects versions from 2.0 up to (excluding) 14.10.7, and versions 15.0-rc-1 to (excluding) 15.2-rc-1. The vulnerability was discovered when it was found that upgrading an XWiki installation with a security fix for a document doesn't prevent exploitation of the vulnerability in older versions of that document. This vulnerability was patched in versions 14.10.7 and 15.2RC1 (GitHub Advisory).

The vulnerability stems from the way XWiki handles document versioning during upgrades. When an XWiki installation is upgraded with a security fix for a document, it only adds a new version of that document while retaining the vulnerable older versions. An attacker can still access and exploit vulnerabilities in these older versions by specifically requesting them using the 'rev' parameter (e.g., 'rev=1.1' in the URL). The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating its severe impact (NVD).

The severity of this vulnerability depends on the specific vulnerability being exploited in the older document versions. Using CVE-2022-36100 as an example, an attacker with just view rights can achieve remote code execution even after the system has been upgraded with security fixes. This affects the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability also impacts manually added script macros that contained security vulnerabilities that were later fixed (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.7 and 15.2RC1 by forcing old revisions to be executed in a restricted mode that disables all script macros. As a workaround, administrators can manually delete old revisions of affected documents. While a script could be used to identify all installed documents and delete their history, this approach might miss manually added and later corrected code that could be affected by this vulnerability (GitHub Advisory).