Impact It's possible to get access and read configuration files by using URLs such as https://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path. Patches This has been patched in 17.4.0-rc-1, 16.10.7. Workarounds There is no known workaround, other than upgrading XWiki. For more information If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing…Read More
XWiki configuration files can be accessed through the webjars API
