GHSA-h63h-5c77-77p5

Source

https://github.com/advisories/GHSA-h63h-5c77-77p5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-h63h-5c77-77p5/GHSA-h63h-5c77-77p5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h63h-5c77-77p5

Aliases

CVE-2024-37901

Published

2024-07-31T15:24:37Z

Modified

2024-09-06T21:41:22Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet

Details

Impact

Any user with edit right on any page can perform arbitrary remote code execution by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well. On this last object, set both name and icon properties to $services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')") and limit and engine to {{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}. Save and display the page. If the logs contain any message ERROR attacker - I got programming: true then the instance is vulnerable.

Patches

This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Workarounds

We're not aware of any workaround except upgrading.

References

https://jira.xwiki.org/browse/XWIKI-21473
https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e

Database specific

{
    "nvd_published_at": "2024-07-31T16:15:03Z",
    "cwe_ids": [
        "CWE-862",
        "CWE-94",
        "CWE-95"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-31T15:24:37Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-search-ui

Package

Name: org.xwiki.platform:xwiki-platform-search-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-search-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.2-rc-1

Fixed

14.10.21

Maven / org.xwiki.platform:xwiki-platform-search-ui

Package

Name: org.xwiki.platform:xwiki-platform-search-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-search-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0-rc-1

Fixed

15.5.5

Maven / org.xwiki.platform:xwiki-platform-search-ui

Package

Name: org.xwiki.platform:xwiki-platform-search-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-search-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.6-rc-1

Fixed

15.10.2