CVE-2024-21648: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a vulnerability in its rollback action functionality. The vulnerability (CVE-2024-21648) was discovered where the rollback action lacked proper right protection, allowing users to rollback to previous versions of pages to gain rights they no longer possessed. This security issue affects all versions of XWiki since the rollback action became available, and has been patched in versions 14.10.17, 15.5.3, and 15.8-rc-1 (GitHub Advisory).

The vulnerability stems from missing right protection in the rollback action mechanism. The root cause was identified as rollback operations lacking a call to XWiki#checkSavingDocument, which is responsible for producing UserUpdatingDocumentEvent events that the RightsFilterListener depends on. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (NIST: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and 8.0 HIGH (GitHub: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The issue is classified under CWE-274 (Improper Handling of Insufficient Privileges) (NVD).

The vulnerability allows users to exploit the rollback functionality to gain unauthorized privileges. Specifically, users could rollback to previous versions of pages where they had higher privileges, effectively bypassing current access control restrictions. This could lead to privilege escalation and unauthorized access to protected resources (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.17, 15.5.3, and 15.8-rc-1 by implementing proper rights checking before performing rollback operations. For unpatched systems, the only workaround is to carefully manage document version history by deleting old versions that could potentially allow users to gain elevated privileges (GitHub Advisory).