GHSA-8959-rfxh-r4j4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8959-rfxh-r4j4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8959-rfxh-r4j4/GHSA-8959-rfxh-r4j4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8959-rfxh-r4j4
- Aliases
- Published
- 2024-01-08T16:39:47Z
- Modified
- 2024-01-09T16:12:43Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- XWiki vulnerable to Denial of Service attack through attachments
- Details
-
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki
WEB-INF/lib/folder.References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
- Database specific
{ "nvd_published_at": "2024-01-09T00:15:44Z", "github_reviewed": true, "github_reviewed_at": "2024-01-08T16:39:47Z", "severity": "HIGH", "cwe_ids": [ "CWE-400" ] }- References
-
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4
- https://nvd.nist.gov/vuln/detail/CVE-2024-21651
- https://github.com/xwiki/xwiki-platform
- https://jira.xwiki.org/browse/XCOMMONS-2796
- https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar
Affected packages
Maven
org.xwiki.platform:xwiki-platform-distribution-war
Package
- Name
- org.xwiki.platform:xwiki-platform-distribution-war
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war
org.xwiki.platform:xwiki-platform-distribution-war
Package
- Name
- org.xwiki.platform:xwiki-platform-distribution-war
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war
org.xwiki.platform:xwiki-platform-distribution-war
Package
- Name
- org.xwiki.platform:xwiki-platform-distribution-war
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war