Vulnerability in XWiki's Solr Script Service Affects Multiple Versions
CVE-2025-32971

3.8LOW

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
30 April 2025

Summary

In XWiki versions starting from 4.5.1 to prior to 15.10.13, as well as from 16.0.0-rc-1 to before 16.4.4, and 16.5.0-rc-1 to before 16.8.0-rc-1, a significant issue exists with the Solr script service. This service fails to properly enforce programming rights when accessed, due to an incorrect API being utilized for rights checks. This oversight means that users with script access can exploit the system, leading to potential heavy load conditions through excessive document indexing or temporarily removing documents from the search index, thus impacting the integrity and performance of the XWiki application. The problem has been addressed in subsequent patched versions.

Affected Version(s)

xwiki-platform >= 4.5.1, < 15.10.13 < 4.5.1, 15.10.13

xwiki-platform >= 16.0.0-rc-1, < 16.4.4 < 16.0.0-rc-1, 16.4.4

xwiki-platform >= 16.5.0-rc-1, < 16.8.0-rc-1 < 16.5.0-rc-1, 16.8.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/6570f40f97...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-22474
x_refsource_MISC

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.