Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1neDRmLTk3NmctN2c2ds4AAyAD
XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
Impact
Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.
Example to reproduce:
- Create a forget XAR file and inside it, have the following
package.xmlcontent:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> ... - Upload it onto a wiki page (e.g.
XXE) as an attachment (e.g.test.xar). - Call the page using
http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar
You'll then notice that the displayed UI contains the content of the /etc/passwd file.
Patches
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.
Workarounds
You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).
References
- https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
- https://jira.xwiki.org/browse/XWIKI-20320
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1neDRmLTk3NmctN2c2ds4AAyAD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Identifiers: GHSA-gx4f-976g-7g6v, CVE-2023-27480
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6v
- https://nvd.nist.gov/vuln/detail/CVE-2023-27480
- https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
- https://jira.xwiki.org/browse/XWIKI-20320
- https://github.com/advisories/GHSA-gx4f-976g-7g6v
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-xar-model
Affected Version Ranges: >= 14.5, < 14.10-rc-1, >= 14.0, < 14.4.7, >= 1.1-milestone-3, < 13.10.11Fixed in: 14.10-rc-1, 14.4.7, 13.10.11