GHSA-m2r5-4w96-qxg5

Source

https://github.com/advisories/GHSA-m2r5-4w96-qxg5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-m2r5-4w96-qxg5/GHSA-m2r5-4w96-qxg5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m2r5-4w96-qxg5

Aliases

CVE-2022-24898

Published

2022-04-28T19:31:55Z

Modified

2023-11-08T04:08:39.783639Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Details

Impact

It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.

For example:

{{velocity}}
#set($xml=$services.get('xml'))
#set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
#set($doc=$xml.parse($xxe_payload))
$xml.serialize($doc)
{{/velocity}}

Patches

The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.

Workarounds

There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

References

https://jira.xwiki.org/browse/XWIKI-18946

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list

Database specific

{
    "nvd_published_at": "2022-04-28T20:15:00Z",
    "github_reviewed_at": "2022-04-28T19:31:55Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-xml

Package

Name: org.xwiki.commons:xwiki-commons-xml; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-xml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7

Fixed

12.10.10

Affected versions

3.*

3.2-milestone-3

3.2-rc-1

3.2

3.2.1

3.3-milestone-1

3.3-milestone-2

3.3-rc-1

3.3

3.3.1

3.4-milestone-1

3.4-rc-1

3.4

3.5-milestone-1

3.5

3.5.1

4.*

4.0-milestone-1

4.0-milestone-2

4.0-rc-1

4.0

4.0.1

4.1-milestone-1

4.1-milestone-2

4.1-rc-1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.2-milestone-1

4.2-milestone-2

4.2-milestone-3

4.2-rc-1

4.2

4.3-milestone-1

4.3-milestone-2

4.3-rc-1

4.3

4.3.1

4.4-rc-1

4.4

4.4.1

4.5-milestone-1

4.5-rc-1

4.5

4.5.1

4.5.2

4.5.3

5.*

5.0-milestone-1

5.0-milestone-2

5.0-rc-1

5.0

5.0.1

5.0.2

5.0.3

5.1-milestone-1

5.1-milestone-2

5.1-rc-1

5.1

5.2-milestone-1

5.2-milestone-2

5.2-rc-1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.3-milestone-1

5.3-milestone-2

5.3-rc-1

5.3

5.4-milestone-1

5.4-rc-1

5.4

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.4.7

6.*

6.0-milestone-1

6.0-milestone-2

6.0-rc-1

6.0

6.0.1

6.1-milestone-1

6.1-milestone-2

6.1-rc-1

6.1

6.2-milestone-1

6.2-milestone-2

6.2-rc-1

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

6.2.7

6.3-milestone-1

6.3-milestone-2

6.3-rc-1

6.3

6.4-milestone-1

6.4-milestone-2

6.4-milestone-3

6.4-rc-1

6.4

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.4.7

6.4.8

7.*

7.0-milestone-1

7.0-milestone-2

7.0-rc-1

7.0

7.0.1

7.1-milestone-1

7.1-milestone-2

7.1-rc-1

7.1

7.1.1

7.1.2

7.1.3

7.1.4

7.2-milestone-1

7.2-milestone-2

7.2-milestone-3

7.2-rc-1

7.2

7.3-milestone-1

7.3-rc-1

7.3

7.4-milestone-1

7.4-milestone-2

7.4-rc-1

7.4

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

7.4.6

8.*

8.0-milestone-1

8.0-milestone-2

8.0-rc-1

8.0

8.1-milestone-1

8.1-milestone-2

8.1-rc-1

8.1

8.2-milestone-1

8.2-milestone-2

8.2-rc-1

8.2

8.2.1

8.2.2

8.3-milestone-2

8.3-rc-1

8.3

8.4-rc-1

8.4

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

9.*

9.0-rc-1

9.0

9.1-rc-1

9.1

9.1.1

9.1.2

9.2-rc-1

9.2

9.3-rc-1

9.3

9.3.1

9.4-rc-1

9.4

9.5-rc-1

9.5

9.5.1

9.6-rc-1

9.6

9.7-rc-1

9.7

9.8-rc-1

9.8

9.8.1

9.9-rc-1

9.9-rc-2

9.9

9.10-rc-1

9.10

9.10.1

9.11-rc-1

9.11

9.11.1

9.11.2

9.11.3

9.11.4

9.11.5

9.11.6

9.11.7

9.11.8

9.11.9

10.*

10.0

10.1-rc-1

10.1

10.2

10.3

10.4-rc-1

10.4

10.5-rc-1

10.5

10.6-rc-1

10.6

10.6.1

10.7-rc-1

10.7

10.7.1

10.8-rc-1

10.8

10.8.1

10.8.2

10.8.3

10.9

10.10-rc-1

10.10

10.11-rc-1

10.11

10.11.1

10.11.2

10.11.3

10.11.4

10.11.5

10.11.6

10.11.7

10.11.8

10.11.9

10.11.10

10.11.11

11.*

11.0

11.0.1

11.0.2

11.0.3

11.1-rc-1

11.1

11.2-rc-1

11.2

11.3-rc-1

11.3

11.3.1

11.3.2

11.3.3

11.3.4

11.3.5

11.3.6

11.3.7

11.4-rc-1

11.4

11.5-rc-1

11.5

11.6-rc-1

11.6

11.6.1

11.7-rc-1

11.7

11.8-rc-1

11.8

11.8.1

11.9

11.10

11.10.1

11.10.2

11.10.3

11.10.4

11.10.5

11.10.6

11.10.7

11.10.8

11.10.10

11.10.11

11.10.12

11.10.13

12.*

12.0-rc-1

12.0

12.1-rc-1

12.1

12.2

12.2.1

12.3-rc-1

12.3

12.4-rc-1

12.4

12.5-rc-1

12.5

12.5.1

12.6

12.6.1

12.6.2

12.6.3

12.6.4

12.6.5

12.6.6

12.6.7

12.6.8

12.7-rc-1

12.7

12.7.1

12.8-rc-1

12.8

12.9-rc-1

12.9

12.10

12.10.1

12.10.2

12.10.3

12.10.4

12.10.5

12.10.6

12.10.7

12.10.8

12.10.9

Maven / org.xwiki.commons:xwiki-commons-xml

Package

Name: org.xwiki.commons:xwiki-commons-xml; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-xml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.4

Affected versions

13.*

13.0

13.1-rc-1

13.1

13.2-rc-1

13.2

13.3-rc-1

13.3

13.4-rc-1

13.4

13.4.1

13.4.2

13.4.3

Maven / org.xwiki.commons:xwiki-commons-xml

Package

Name: org.xwiki.commons:xwiki-commons-xml; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-xml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5-rc-1

Fixed

13.8-rc-1

Affected versions

13.*

13.5-rc-1

13.5

13.6-rc-1

13.6

13.7-rc-1

13.7

Database specific

{
    "last_known_affected_version_range": "<= 13.7"
}