cve-2024-37899
Vulnerability from cvelistv5
Published
2024-06-20 22:13
Modified
2024-08-13 13:51
Severity ?
EPSS score ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`.
As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### Workarounds
We're not aware of any workaround except upgrading.
### References
* https://jira.xwiki.org/browse/XWIKI-21611
* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
xwiki | xwiki-platform |
Version: >= 13.4.7, <= 13.5 Version: >= 13.10.3, < 14.10.21 Version: >= 15.0-rc-1, < 15.5.5 Version: >= 15.6-rc-1, < 15.10.6 Version: >= 16.0.0-rc-1, < 16.0.0 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "xwiki", vendor: "xwiki", versions: [ { lessThanOrEqual: "13.5", status: "affected", version: "13.4.7", versionType: "custom", }, { lessThanOrEqual: "14.10.21", status: "affected", version: "13.10.3", versionType: "custom", }, { lessThan: "15.5.5", status: "affected", version: "15.0-rc-1", versionType: "custom", }, { lessThan: "15.10.6", status: "affected", version: "15.6-rc-1,", versionType: "custom", }, { lessThan: "16.0.0", status: "affected", version: "16.0.0-rc-1,", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-37899", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-27T18:36:25.554418Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T13:51:01.754Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T04:04:23.403Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93", }, { name: "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a", }, { name: "https://jira.xwiki.org/browse/XWIKI-21611", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.xwiki.org/browse/XWIKI-21611", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xwiki-platform", vendor: "xwiki", versions: [ { status: "affected", version: ">= 13.4.7, <= 13.5", }, { status: "affected", version: ">= 13.10.3, < 14.10.21", }, { status: "affected", version: ">= 15.0-rc-1, < 15.5.5", }, { status: "affected", version: ">= 15.6-rc-1, < 15.10.6", }, { status: "affected", version: ">= 16.0.0-rc-1, < 16.0.0", }, ], }, ], descriptions: [ { lang: "en", value: "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger(\"attacker\").error(\"Hello from Groovy!\"){{/groovy}}`.\nAs an admin, go to the user profile and click the \"Disable this account\" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n### Workarounds\nWe're not aware of any workaround except upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21611\n* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-20T22:13:59.450Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93", }, { name: "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a", tags: [ "x_refsource_MISC", ], url: "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a", }, { name: "https://jira.xwiki.org/browse/XWIKI-21611", tags: [ "x_refsource_MISC", ], url: "https://jira.xwiki.org/browse/XWIKI-21611", }, ], source: { advisory: "GHSA-j584-j2vj-3f93", discovery: "UNKNOWN", }, title: "Disabling a user account changes its author, allowing RCE from user account in XWiki", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-37899", datePublished: "2024-06-20T22:13:59.450Z", dateReserved: "2024-06-10T19:54:41.362Z", dateUpdated: "2024-08-13T13:51:01.754Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2024-37899\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-20T23:15:52.460\",\"lastModified\":\"2025-02-05T16:01:02.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger(\\\"attacker\\\").error(\\\"Hello from Groovy!\\\"){{/groovy}}`.\\nAs an admin, go to the user profile and click the \\\"Disable this account\\\" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\\n\\n### Workarounds\\nWe're not aware of any workaround except upgrading.\\n\\n### References\\n* https://jira.xwiki.org/browse/XWIKI-21611\\n* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\\n\"},{\"lang\":\"es\",\"value\":\"XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Cuando un administrador desactiva una cuenta de usuario, el perfil del usuario se ejecuta con los derechos de administrador. Esto permite a un usuario colocar código malicioso en el perfil de usuario antes de que un administrador desactive la cuenta de usuario. Para reproducir, como usuario sin script ni derechos de programación, edite la sección Acerca de de su perfil de usuario y agregue `{{groovy}}services.logging.getLogger(\\\"attacker\\\").error(\\\"Hello from Groovy!\\\"){{ /maravilloso}}`. Como administrador, vaya al perfil de usuario y haga clic en el botón \\\"Desactivar esta cuenta\\\". Luego, recarga la página. Si los registros muestran \\\"atacante - ¡Hola desde Groovy!\\\", entonces la instancia es vulnerable. Esto ha sido parcheado en XWiki 14.10.21, 15.5.5, 15.10.6 y 16.0.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad. ### Workarounds no conocemos ningún workarounds excepto la actualización. ### Referencias * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"13.10.3\",\"versionEndExcluding\":\"14.10.21\",\"matchCriteriaId\":\"C91B88B4-DC83-449D-95B0-DF1A76D37F54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"15.0\",\"versionEndExcluding\":\"15.5.5\",\"matchCriteriaId\":\"CA7D00D6-D2DD-4678-A328-5C2A7E96FE48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"15.6\",\"versionEndExcluding\":\"15.10.6\",\"matchCriteriaId\":\"CCB0588B-7F74-423B-9D36-4B8E4F1BA459\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:13.4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5069AD5C-1456-46D2-9193-2B10906D9B70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:13.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAB28BF5-A7F3-4649-BC0F-648E8963038B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:16.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B1CD131A-4CDE-4465-BA81-77A93AFF784B\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-21611\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-21611\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-21611\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-21611\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:04:23.403Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37899\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-27T18:36:25.554418Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\"], \"vendor\": \"xwiki\", \"product\": \"xwiki\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.4.7\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"13.5\"}, {\"status\": \"affected\", \"version\": \"13.10.3\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"14.10.21\"}, {\"status\": \"affected\", \"version\": \"15.0-rc-1\", \"lessThan\": \"15.5.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"15.6-rc-1,\", \"lessThan\": \"15.10.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.0.0-rc-1,\", \"lessThan\": \"16.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-01T14:41:31.191Z\"}}], \"cna\": {\"title\": \"Disabling a user account changes its author, allowing RCE from user account in XWiki\", \"source\": {\"advisory\": \"GHSA-j584-j2vj-3f93\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-platform\", \"versions\": [{\"status\": \"affected\", \"version\": \">= 13.4.7, <= 13.5\"}, {\"status\": \"affected\", \"version\": \">= 13.10.3, < 14.10.21\"}, {\"status\": \"affected\", \"version\": \">= 15.0-rc-1, < 15.5.5\"}, {\"status\": \"affected\", \"version\": \">= 15.6-rc-1, < 15.10.6\"}, {\"status\": \"affected\", \"version\": \">= 16.0.0-rc-1, < 16.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-21611\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-21611\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger(\\\"attacker\\\").error(\\\"Hello from Groovy!\\\"){{/groovy}}`.\\nAs an admin, go to the user profile and click the \\\"Disable this account\\\" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\\n\\n### Workarounds\\nWe're not aware of any workaround except upgrading.\\n\\n### References\\n* https://jira.xwiki.org/browse/XWIKI-21611\\n* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code ('Code Injection')\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-20T22:13:59.450Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-37899\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-13T13:51:01.754Z\", \"dateReserved\": \"2024-06-10T19:54:41.362Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-20T22:13:59.450Z\", \"assignerShortName\": \"GitHub_M\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.