CVE-2024-26138 in application-licensinginfo

Summary

by MITRE • 02/21/2024

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/06/2025

The vulnerability identified as CVE-2024-26138 affects the XWiki licensor application, specifically targeting the Application Licensing component version 1.24.1 and earlier. This flaw exists within the document structure used to manage and enforce licenses for paid extensions, where the `Licenses.Code.LicenseJSON` document contains sensitive licensing information that is publicly accessible. The exposure of this document creates a significant information disclosure risk that directly violates fundamental security principles of least privilege and data protection. The vulnerability represents a clear failure in access control mechanisms, as administrative information that should remain restricted to authorized personnel is made available to any external party with access to the application. This misconfiguration allows threat actors to gain insights into the operational environment of XWiki instances and the individuals associated with specific license purchases.

The technical implementation of this vulnerability stems from improper access controls within the XWiki application's document management system. The `Licenses.Code.LicenseJSON` document serves as a repository for license metadata that includes the instance identifier, which functions as a unique UUID for each XWiki installation, along with personal identifying information of license owners including their first and last names and email addresses. This design flaw directly violates the principle of information hiding and creates a data exposure scenario that aligns with CWE-200 (Information Exposure) and CWE-668 (The system exposes the internal implementation details). The instance identifier, while intended to maintain anonymity through the active installs tracking system, becomes a correlating factor that can link specific installations to particular organizations or individuals, effectively undermining the privacy protections that the system was designed to provide.

The operational impact of this vulnerability extends beyond simple information disclosure to create opportunities for targeted attacks and operational disruption. The exposure of email addresses and personal information creates prime targets for social engineering campaigns, including phishing attacks that can be tailored to specific license holders based on their organizational context. Threat actors can leverage this information to conduct more sophisticated attacks by creating believable scenarios that exploit the trust relationships inherent in legitimate licensing arrangements. The ability to associate specific instance identifiers with individual license owners enables attackers to map the landscape of XWiki installations and potentially identify high-value targets within organizations. This vulnerability also affects the integrity of the active installs data tracking system, as the instance ID that was designed to prevent correlation between installations and owners becomes a means of establishing such correlations. The risk is particularly elevated because email addresses, while often obfuscated in user profiles, are exposed in this public document, providing attackers with direct communication channels to targeted individuals.

The remediation for this vulnerability requires upgrading to Application Licensing version 1.24.2, which implements proper access controls to prevent unauthorized access to the license information document. This fix addresses the root cause by ensuring that administrative license data remains accessible only to authorized personnel with appropriate permissions. The vulnerability does not have any effective workarounds, as the issue stems from fundamental access control configuration rather than a specific code flaw that could be patched or modified. Organizations using affected versions of XWiki should prioritize this upgrade to protect against potential exploitation, as the exposure of license owner information creates a persistent threat vector that can be exploited for various malicious purposes. The vulnerability demonstrates the importance of proper access control implementation and the need for regular security assessments to identify and remediate information disclosure risks in enterprise applications. This case highlights the critical relationship between application security and data protection, where seemingly innocuous configuration decisions can create significant security implications that affect both individual users and organizational security posture. The vulnerability also aligns with ATT&CK technique T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) as attackers can use the exposed information to craft more convincing phishing campaigns and potentially correlate network activity with specific license holders.

Responsible

GitHub, Inc.

Reservation

02/14/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00492

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!