Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1neDRmLTk3NmctN2c2ds4AAyAD

XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference

Impact

Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:

You'll then notice that the displayed UI contains the content of the /etc/passwd file.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

Workarounds

You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-gx4f-976g-7g6v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1neDRmLTk3NmctN2c2ds4AAyAD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Identifiers: GHSA-gx4f-976g-7g6v, CVE-2023-27480
References: Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-xar-model
Affected Version Ranges: >= 14.5, < 14.10-rc-1, >= 14.0, < 14.4.7, >= 1.1-milestone-3, < 13.10.11
Fixed in: 14.10-rc-1, 14.4.7, 13.10.11