GHSA-hf43-47q4-fhq5

Source

https://github.com/advisories/GHSA-hf43-47q4-fhq5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hf43-47q4-fhq5/GHSA-hf43-47q4-fhq5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hf43-47q4-fhq5

Aliases

CVE-2024-31996

Published

2024-04-10T17:16:37Z

Modified

2024-04-10T22:16:46.490125Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution

Details

Impact

The HTML escaping of escaping tool that is used in XWiki doesn't escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.

To reproduce in an XWiki installation, open <xwiki-host>/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27) where <xwiki-host> is the URL of your XWiki installation. If this displays You are not admin on this place Hello from URL Parameter! I got programming: true, the installation is vulnerable.

Patches

The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9 RC1.

Workarounds

Apart from upgrading, there is no generic workaround. However, replacing $escapetool.html by $escapetool.xml in XWiki documents fixes the vulnerability. In a standard XWiki installation, we're only aware of the document Panels.PanelLayoutUpdate that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.

References

https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a
https://jira.xwiki.org/browse/XCOMMONS-2828
https://jira.xwiki.org/browse/XWIKI-21438

Database specific

{
    "nvd_published_at": "2024-04-10T21:15:07Z",
    "cwe_ids": [
        "CWE-95"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:16:37Z"
}

References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name: org.xwiki.commons:xwiki-commons-velocity; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-velocity

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.1

Fixed

14.10.19

Affected versions

3.*

3.2-milestone-3

3.2-rc-1

3.2

3.2.1

3.3-milestone-1

3.3-milestone-2

3.3-rc-1

3.3

3.3.1

3.4-milestone-1

3.4-rc-1

3.4

3.5-milestone-1

3.5

3.5.1

4.*

4.0-milestone-1

4.0-milestone-2

4.0-rc-1

4.0

4.0.1

4.1-milestone-1

4.1-milestone-2

4.1-rc-1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.2-milestone-1

4.2-milestone-2

4.2-milestone-3

4.2-rc-1

4.2

4.3-milestone-1

4.3-milestone-2

4.3-rc-1

4.3

4.3.1

4.4-rc-1

4.4

4.4.1

4.5-milestone-1

4.5-rc-1

4.5

4.5.1

4.5.2

4.5.3

5.*

5.0-milestone-1

5.0-milestone-2

5.0-rc-1

5.0

5.0.1

5.0.2

5.0.3

5.1-milestone-1

5.1-milestone-2

5.1-rc-1

5.1

5.2-milestone-1

5.2-milestone-2

5.2-rc-1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.3-milestone-1

5.3-milestone-2

5.3-rc-1

5.3

5.4-milestone-1

5.4-rc-1

5.4

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

6.*

6.0-milestone-1

6.0-milestone-2

6.0-rc-1

6.0

6.0.1

6.1-milestone-1

6.1-milestone-2

6.1-rc-1

6.1

6.2-milestone-1

6.2-milestone-2

6.2-rc-1

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

6.2.7

6.3-milestone-1

6.3-milestone-2

6.3-rc-1

6.3

6.4-milestone-1

6.4-milestone-2

6.4-milestone-3

6.4-rc-1

6.4

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.4.7

6.4.8

7.*

7.0-milestone-1

7.0-milestone-2

7.0-rc-1

7.0

7.0.1

7.1-milestone-1

7.1-milestone-2

7.1-rc-1

7.1

7.1.1

7.1.2

7.1.3

7.1.4

7.2-milestone-1

7.2-milestone-2

7.2-milestone-3

7.2-rc-1

7.2

7.3-milestone-1

7.3-rc-1

7.3

7.4-milestone-1

7.4-milestone-2

7.4-rc-1

7.4

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

8.*

8.0-milestone-1

8.0-milestone-2

8.0-rc-1

8.0

8.1-milestone-1

8.1-milestone-2

8.1-rc-1

8.1

8.2-milestone-1

8.2-milestone-2

8.2-rc-1

8.2

8.2.1

8.2.2

8.3-milestone-2

8.3-rc-1

8.3

8.4-rc-1

8.4

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

9.*

9.0-rc-1

9.0

9.1-rc-1

9.1

9.1.1

9.1.2

9.2-rc-1

9.2

9.3-rc-1

9.3

9.3.1

9.4-rc-1

9.4

9.5-rc-1

9.5

9.5.1

9.6-rc-1

9.6

9.7-rc-1

9.7

9.8-rc-1

9.8

9.8.1

9.9-rc-1

9.9-rc-2

9.9

9.10-rc-1

9.10

9.10.1

9.11-rc-1

9.11

9.11.1

9.11.2

9.11.3

9.11.4

9.11.5

9.11.6

9.11.7

9.11.8

9.11.9

10.*

10.0

10.1-rc-1

10.1

10.2

10.3

10.4-rc-1

10.4

10.5-rc-1

10.5

10.6-rc-1

10.6

10.6.1

10.7-rc-1

10.7

10.7.1

10.8-rc-1

10.8

10.8.1

10.8.2

10.8.3

10.9

10.10-rc-1

10.10

10.11-rc-1

10.11

10.11.1

10.11.2

10.11.3

10.11.4

10.11.5

10.11.6

10.11.7

10.11.8

10.11.9

10.11.10

10.11.11

11.*

11.0

11.0.1

11.0.2

11.0.3

11.1-rc-1

11.1

11.2-rc-1

11.2

11.3-rc-1

11.3

11.3.1

11.3.2

11.3.3

11.3.4

11.3.5

11.3.6

11.3.7

11.4-rc-1

11.4

11.5-rc-1

11.5

11.6-rc-1

11.6

11.6.1

11.7-rc-1

11.7

11.8-rc-1

11.8

11.8.1

11.9

11.10

11.10.1

11.10.2

11.10.3

11.10.4

11.10.5

11.10.6

11.10.7

11.10.8

11.10.10

11.10.11

11.10.12

11.10.13

12.*

12.0-rc-1

12.0

12.1-rc-1

12.1

12.2

12.2.1

12.3-rc-1

12.3

12.4-rc-1

12.4

12.5-rc-1

12.5

12.5.1

12.6

12.6.1

12.6.2

12.6.3

12.6.4

12.6.5

12.6.6

12.6.7

12.6.8

12.7-rc-1

12.7

12.7.1

12.8-rc-1

12.8

12.9-rc-1

12.9

12.10

12.10.1

12.10.2

12.10.3

12.10.4

12.10.5

12.10.6

12.10.7

12.10.8

12.10.9

12.10.10

12.10.11

13.*

13.0

13.1-rc-1

13.1

13.2-rc-1

13.2

13.3-rc-1

13.3

13.4-rc-1

13.4

13.4.1

13.4.2

13.4.3

13.4.4

13.4.5

13.4.6

13.4.7

13.5-rc-1

13.5

13.6-rc-1

13.6

13.7-rc-1

13.7

13.8-rc-1

13.8

13.9-rc-1

13.9

13.10-rc-1

13.10

13.10.1

13.10.2

13.10.3

13.10.4

13.10.5

13.10.6

13.10.7

13.10.8

13.10.9

13.10.10

13.10.11

14.*

14.0-rc-1

14.0

14.1-rc-1

14.1

14.2-rc-1

14.2

14.2.1

14.3-rc-1

14.3

14.3.1

14.4-rc-1

14.4

14.4.1

14.4.2

14.4.3

14.4.4

14.4.5

14.4.6

14.4.7

14.4.8

14.5

14.6-rc-1

14.6

14.7-rc-1

14.7

14.8-rc-1

14.8

14.9-rc-1

14.9

14.10

14.10.1

14.10.2

14.10.3

14.10.4

14.10.5

14.10.6

14.10.7

14.10.8

14.10.9

14.10.10

14.10.11

14.10.12

14.10.13

14.10.14

14.10.15

14.10.16

14.10.17

14.10.18

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name: org.xwiki.commons:xwiki-commons-velocity; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-velocity

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0-rc-1

Fixed

15.5.4

Affected versions

15.*

15.0-rc-1

15.0

15.1-rc-1

15.1

15.2-rc-1

15.2

15.3-rc-1

15.3

15.4-rc-1

15.4

15.5-rc-1

15.5

15.5.1

15.5.2

15.5.3

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name: org.xwiki.commons:xwiki-commons-velocity; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-velocity

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.6-rc-1

Fixed

15.9-rc-1

Affected versions

15.*

15.6-rc-1

15.6

15.7-rc-1

15.7

15.8-rc-1

15.8