Privilege escalation allowing execution of xdmp:data-directory()
Certain privileged built-in functions, for example xdmp:data-directory and xdmp:list-cache-size, that return static environmental data may be prematurely optimized out with the results in-lined as literals in code passed to xdmp:invoke-function or xdmp:spawn-function.
The in-lining occurs in the outer environment not the inner environment, so the execution privileges checked are of the outer environment not the inner environment. As a result, even if the inner environment does not have privileges to execute the built-in functions, no exception is thrown when the optimized code is run. This issue is addressed in 10.0-3.