CVE-2024-55879

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-55879

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55879.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-55879

Aliases

GHSA-r279-47wg-chpr

Related

Published

2024-12-12T19:17:38.138Z

Modified

2025-12-05T07:35:35.399746Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XWiki allows RCE from script right in configurable sections

Details

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55879.json"
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3f100aee4c197e68d2986717a878d0bbd4fb0c22

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8493435ff9606905a2d913607d6c79862d0c168d

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "target": {
            "function": "setUp",
            "file": "xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java"
        },
        "digest": {
            "length": 712.0,
            "function_hash": "236992300391277556217378332457867545182"
        },
        "signature_version": "v1",
        "source": "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2024-55879-01eaac4a"
    },
    {
        "target": {
            "function": "checkScriptRight",
            "file": "xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java"
        },
        "digest": {
            "length": 1263.0,
            "function_hash": "80797114820277573592219065610970345622"
        },
        "signature_version": "v1",
        "source": "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2024-55879-8fedb097"
    },
    {
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java"
        },
        "digest": {
            "line_hashes": [
                "209161574377728761043116483541213496716",
                "176869214448177095988789824904650296895",
                "183463755079819425991089555567333209492",
                "311974343199307524466490082628170242319",
                "177443356313965610309158258852035936960",
                "151534286446640185703922743335022821142",
                "263486596542065634817245577714402253766",
                "182697580140364187126886547571909086457",
                "326541991244629128376665833268163046923",
                "66726863852917978464988524575564641378",
                "282418863558437391064037525662000018647",
                "302537729189063189521383400244718585078",
                "332726563288626311229564541772554881618",
                "204401985300051435345067799007887467714",
                "199626531698945121904162988375912544219",
                "255759114264745598448339811904960213115",
                "13437552843303005776081609052057576295",
                "239792704208419815421453019887600605653",
                "298211165952676017968033695890469247413",
                "320520918919314400144707579895830399890",
                "205768257667498665619494444254274381339",
                "182666193011307363221176648219403342751",
                "292021706169061952570328008134243395913",
                "12634528113923032300510451024038863106",
                "36070476884631980724382535522939910147",
                "217862868595680684075159044107096748594",
                "71457223400197470553246857296083857090",
                "238287114221003640551472382295105642965",
                "147305954995447523075690537467446255820",
                "104705912299772775840076961237413087949",
                "77173728112052242371127160628168139794",
                "275000435236607197427066859692080925488",
                "90034652113259410694034232645959973907",
                "55757152012966220629586602017647554919",
                "47258802170825083931144140667972695740",
                "326564075106381809743080382797717057314",
                "303930380382386922558950638188134930479",
                "132861621073128040554049398155629857841",
                "200562433780640854012238760838999357419",
                "222428809391772391158613680457773399526",
                "23220054141384218956116222389727245432",
                "50250418155882563489311515001338334020",
                "307936252344812426390763154640583503023",
                "95195544305406473247621671551412862076",
                "120259910186977638077225211319014100328",
                "184247451948149273616590541844913790919",
                "94848988495237535935492047089978640039",
                "146687846040791670463816991940821023730",
                "32918891334412752573011887060138380110",
                "169212284298489123497956384093940991819",
                "182245102451658064082630141067076651109",
                "250119862470441255852297027014783796428",
                "290284058722694231439217758135846287445",
                "144690559262065437008819409434548308795",
                "106924612733837558842875734190867065085",
                "125797368803989791040927918822545433247"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d",
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2024-55879-d8d3a95b"
    }
]