GHSA-37m4-hqxv-w26g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-37m4-hqxv-w26g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-37m4-hqxv-w26g/GHSA-37m4-hqxv-w26g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-37m4-hqxv-w26g
- Aliases
- Published
- 2024-04-10T17:14:35Z
- Modified
- 2024-04-10T22:01:32Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- XWiki Platform CSRF remote code execution through scheduler job's document reference
- Details
-
Impact
By creating a document with a special crafted documented reference and an
XWiki.SchedulerJobClassXObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki.To reproduce on an XWiki installation, click on this link to create a new document :
<xwiki-host>/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/. Then, add to this document an object of typeXWiki.SchedulerJobClass. Finally, as an admin, go to<xwiki-host>/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22). If the logs containERROR attacker - Hello from URL Parameter! I got programming: true, the installation is vulnerable.Patches
The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9.
Workarounds
Modify the Scheduler.WebHome page following this patch.
References
- https://jira.xwiki.org/browse/XWIKI-21416
- https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
- Database specific
{ "nvd_published_at": "2024-04-10T21:15:06Z", "cwe_ids": [ "CWE-352", "CWE-95" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-10T17:14:35Z" }- References
-
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
- https://nvd.nist.gov/vuln/detail/CVE-2024-31986
- https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- https://github.com/xwiki/xwiki-platform
- https://jira.xwiki.org/browse/XWIKI-21416
Affected packages
Maven / org.xwiki.platform:xwiki-platform-scheduler-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-scheduler-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui
Maven / org.xwiki.platform:xwiki-platform-scheduler-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-scheduler-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui
Maven / org.xwiki.platform:xwiki-platform-scheduler-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-scheduler-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui