SCA: security update for org.xwiki.platform:xwiki-platform-rest-server (GHSA-22q5-9phm-744v)

high Tenable Self-Hosted Container Security Plugin ID 421155

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages
are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have
view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered
user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki.
The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can
still be requested but the result is filtered out based on pages rights. (CVE-2025-29925)

See Also

https://github.com/advisories/GHSA-22q5-9phm-744v

Plugin Details

Severity: High

ID: 421155

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 3/20/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-29925

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 8.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/19/2025

Vulnerability Publication Date: 3/19/2025

Reference Information

CVE: CVE-2025-29925

cwe: CWE-402