Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04OTU5LXJmeGgtcjRqNM4AA4Qk
XWiki vulnerable to Denial of Service attack through attachments
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.
References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OTU5LXJmeGgtcjRqNM4AA4Qk
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8959-rfxh-r4j4, CVE-2024-21651
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4
- https://jira.xwiki.org/browse/XCOMMONS-2796
- https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar
- https://nvd.nist.gov/vuln/detail/CVE-2024-21651
- https://github.com/advisories/GHSA-8959-rfxh-r4j4
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-distribution-war
Affected Version Ranges: >= 15.6-rc-1, < 15.8-rc-1, >= 15.0-rc-1, < 15.5.3, >= 14.10, < 14.10.18Fixed in: 15.8-rc-1, 15.5.3, 14.10.18