GHSA-hf43-47q4-fhq5

Source
https://github.com/advisories/GHSA-hf43-47q4-fhq5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hf43-47q4-fhq5/GHSA-hf43-47q4-fhq5.json
Aliases
Published
2024-04-10T17:16:37Z
Modified
2024-04-10T22:16:46.490125Z
Summary
XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
Details

Impact

The HTML escaping of escaping tool that is used in XWiki doesn't escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.

To reproduce in an XWiki installation, open <xwiki-host>/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27) where <xwiki-host> is the URL of your XWiki installation. If this displays You are not admin on this place Hello from URL Parameter! I got programming: true, the installation is vulnerable.

Patches

The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9 RC1.

Workarounds

Apart from upgrading, there is no generic workaround. However, replacing $escapetool.html by $escapetool.xml in XWiki documents fixes the vulnerability. In a standard XWiki installation, we're only aware of the document Panels.PanelLayoutUpdate that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.

References

  • https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a
  • https://jira.xwiki.org/browse/XCOMMONS-2828
  • https://jira.xwiki.org/browse/XWIKI-21438
References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name
org.xwiki.commons:xwiki-commons-velocity

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.1
Fixed
14.10.19

Affected versions

3.*

3.2-milestone-3
3.2-rc-1
3.2
3.2.1
3.3-milestone-1
3.3-milestone-2
3.3-rc-1
3.3
3.3.1
3.4-milestone-1
3.4-rc-1
3.4
3.5-milestone-1
3.5
3.5.1

4.*

4.0-milestone-1
4.0-milestone-2
4.0-rc-1
4.0
4.0.1
4.1-milestone-1
4.1-milestone-2
4.1-rc-1
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.2-milestone-1
4.2-milestone-2
4.2-milestone-3
4.2-rc-1
4.2
4.3-milestone-1
4.3-milestone-2
4.3-rc-1
4.3
4.3.1
4.4-rc-1
4.4
4.4.1
4.5-milestone-1
4.5-rc-1
4.5
4.5.1
4.5.2
4.5.3

5.*

5.0-milestone-1
5.0-milestone-2
5.0-rc-1
5.0
5.0.1
5.0.2
5.0.3
5.1-milestone-1
5.1-milestone-2
5.1-rc-1
5.1
5.2-milestone-1
5.2-milestone-2
5.2-rc-1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.3-milestone-1
5.3-milestone-2
5.3-rc-1
5.3
5.4-milestone-1
5.4-rc-1
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7

6.*

6.0-milestone-1
6.0-milestone-2
6.0-rc-1
6.0
6.0.1
6.1-milestone-1
6.1-milestone-2
6.1-rc-1
6.1
6.2-milestone-1
6.2-milestone-2
6.2-rc-1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.3-milestone-1
6.3-milestone-2
6.3-rc-1
6.3
6.4-milestone-1
6.4-milestone-2
6.4-milestone-3
6.4-rc-1
6.4
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8

7.*

7.0-milestone-1
7.0-milestone-2
7.0-rc-1
7.0
7.0.1
7.1-milestone-1
7.1-milestone-2
7.1-rc-1
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2-milestone-1
7.2-milestone-2
7.2-milestone-3
7.2-rc-1
7.2
7.3-milestone-1
7.3-rc-1
7.3
7.4-milestone-1
7.4-milestone-2
7.4-rc-1
7.4
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6

8.*

8.0-milestone-1
8.0-milestone-2
8.0-rc-1
8.0
8.1-milestone-1
8.1-milestone-2
8.1-rc-1
8.1
8.2-milestone-1
8.2-milestone-2
8.2-rc-1
8.2
8.2.1
8.2.2
8.3-milestone-2
8.3-rc-1
8.3
8.4-rc-1
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6

9.*

9.0-rc-1
9.0
9.1-rc-1
9.1
9.1.1
9.1.2
9.2-rc-1
9.2
9.3-rc-1
9.3
9.3.1
9.4-rc-1
9.4
9.5-rc-1
9.5
9.5.1
9.6-rc-1
9.6
9.7-rc-1
9.7
9.8-rc-1
9.8
9.8.1
9.9-rc-1
9.9-rc-2
9.9
9.10-rc-1
9.10
9.10.1
9.11-rc-1
9.11
9.11.1
9.11.2
9.11.3
9.11.4
9.11.5
9.11.6
9.11.7
9.11.8
9.11.9

10.*

10.0
10.1-rc-1
10.1
10.2
10.3
10.4-rc-1
10.4
10.5-rc-1
10.5
10.6-rc-1
10.6
10.6.1
10.7-rc-1
10.7
10.7.1
10.8-rc-1
10.8
10.8.1
10.8.2
10.8.3
10.9
10.10-rc-1
10.10
10.11-rc-1
10.11
10.11.1
10.11.2
10.11.3
10.11.4
10.11.5
10.11.6
10.11.7
10.11.8
10.11.9
10.11.10
10.11.11

11.*

11.0
11.0.1
11.0.2
11.0.3
11.1-rc-1
11.1
11.2-rc-1
11.2
11.3-rc-1
11.3
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.4-rc-1
11.4
11.5-rc-1
11.5
11.6-rc-1
11.6
11.6.1
11.7-rc-1
11.7
11.8-rc-1
11.8
11.8.1
11.9
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
11.10.7
11.10.8
11.10.10
11.10.11
11.10.12
11.10.13

12.*

12.0-rc-1
12.0
12.1-rc-1
12.1
12.2
12.2.1
12.3-rc-1
12.3
12.4-rc-1
12.4
12.5-rc-1
12.5
12.5.1
12.6
12.6.1
12.6.2
12.6.3
12.6.4
12.6.5
12.6.6
12.6.7
12.6.8
12.7-rc-1
12.7
12.7.1
12.8-rc-1
12.8
12.9-rc-1
12.9
12.10
12.10.1
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
12.10.7
12.10.8
12.10.9
12.10.10
12.10.11

13.*

13.0
13.1-rc-1
13.1
13.2-rc-1
13.2
13.3-rc-1
13.3
13.4-rc-1
13.4
13.4.1
13.4.2
13.4.3
13.4.4
13.4.5
13.4.6
13.4.7
13.5-rc-1
13.5
13.6-rc-1
13.6
13.7-rc-1
13.7
13.8-rc-1
13.8
13.9-rc-1
13.9
13.10-rc-1
13.10
13.10.1
13.10.2
13.10.3
13.10.4
13.10.5
13.10.6
13.10.7
13.10.8
13.10.9
13.10.10
13.10.11

14.*

14.0-rc-1
14.0
14.1-rc-1
14.1
14.2-rc-1
14.2
14.2.1
14.3-rc-1
14.3
14.3.1
14.4-rc-1
14.4
14.4.1
14.4.2
14.4.3
14.4.4
14.4.5
14.4.6
14.4.7
14.4.8
14.5
14.6-rc-1
14.6
14.7-rc-1
14.7
14.8-rc-1
14.8
14.9-rc-1
14.9
14.10
14.10.1
14.10.2
14.10.3
14.10.4
14.10.5
14.10.6
14.10.7
14.10.8
14.10.9
14.10.10
14.10.11
14.10.12
14.10.13
14.10.14
14.10.15
14.10.16
14.10.17
14.10.18

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name
org.xwiki.commons:xwiki-commons-velocity

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15.0-rc-1
Fixed
15.5.4

Affected versions

15.*

15.0-rc-1
15.0
15.1-rc-1
15.1
15.2-rc-1
15.2
15.3-rc-1
15.3
15.4-rc-1
15.4
15.5-rc-1
15.5
15.5.1
15.5.2
15.5.3

Maven / org.xwiki.commons:xwiki-commons-velocity

Package

Name
org.xwiki.commons:xwiki-commons-velocity

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15.6-rc-1
Fixed
15.9-rc-1

Affected versions

15.*

15.6-rc-1
15.6
15.7-rc-1
15.7
15.8-rc-1
15.8