GHSA-rh28-mqj4-8x59
XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests
Details
### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.
### Patches The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.
### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a) can be applied manually to the wiki page `XWiki.LiveTableResultsMacros`.
### Resources * https://jira.xwiki.org/browse/XWIKI-23875 * https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
Are you affected?
Enter the version of the package you're using.
Affected packages
6.2.1 Fixed in: 16.10.17 # pom.xml: bump <version>16.10.17</version> for org.xwiki.platform:xwiki-platform-livetable-ui 17.0.0-rc-1 Fixed in: 17.4.9 # pom.xml: bump <version>17.4.9</version> for org.xwiki.platform:xwiki-platform-livetable-ui 17.5.0-rc-1 Fixed in: 17.10.3 # pom.xml: bump <version>17.10.3</version> for org.xwiki.platform:xwiki-platform-livetable-ui