ghsa-m2r5-4w96-qxg5
Vulnerability from github
Published
2022-04-28 19:31
Modified
2022-04-28 19:31
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
Details

Impact

It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.

For example:

``` {{velocity}}

set($xml=$services.get('xml'))

set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]>&xxe;")

set($doc=$xml.parse($xxe_payload))

$xml.serialize($doc) {{/velocity}} ```

Patches

The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.

Workarounds

There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

References

https://jira.xwiki.org/browse/XWIKI-18946

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7"
            },
            {
              "fixed": "12.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.5-rc-1"
            },
            {
              "fixed": "13.8-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-28T19:31:55Z",
    "nvd_published_at": "2022-04-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIt\u0027s possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.\n\nFor example:\n\n```\n{{velocity}}\n#set($xml=$services.get(\u0027xml\u0027))\n#set($xxe_payload = \"\u003c?xml version=\u00271.0\u0027 encoding=\u0027UTF-8\u0027?\u003e\u003c!DOCTYPE root[\u003c!ENTITY xxe SYSTEM \u0027file:///etc/passwd\u0027 \u003e]\u003e\u003croot\u003e\u003cfoo\u003e\u0026xxe;\u003c/foo\u003e\u003c/root\u003e\")\n#set($doc=$xml.parse($xxe_payload))\n$xml.serialize($doc)\n{{/velocity}}\n```\n\n### Patches\n\nThe problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.\n\n### Workarounds\n\nThere\u0027s no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-18946\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org)\n* Email us at [XWiki Security mailing-list](mailto:security@xwiki.org)",
  "id": "GHSA-m2r5-4w96-qxg5",
  "modified": "2022-04-28T19:31:55Z",
  "published": "2022-04-28T19:31:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24898"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-commons"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-18946"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.