XWiki Licensing: Public Licenses.Code.LicenseJSON Leak (V1.24.2)
CVE-2024-26138 Published on February 21, 2024

License information is public, exposing instance id and license holder details
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.

Github Repository NVD

Vulnerability Analysis

CVE-2024-26138 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2024-26138 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2024-26138

stack.watch emails you whenever new vulnerabilities are published in Xwiki Application Licensing or Xwiki. Just hit a watch button to start following.

Xwiki Application Licensing
 
Xwiki
 

Affected Versions

xwikisas application-licensing: xwikisas application_licensing:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-26138

Package Manager Vulnerable Package Versions Fixed In
maven com.xwiki.licensing:application-licensing-licensor-ui >= 1.0, < 1.24.2 1.24.2

Exploit Probability

EPSS
0.24%
Percentile
47.18%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.