GHSA-rr6p-3pfg-562j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rr6p-3pfg-562j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-rr6p-3pfg-562j/GHSA-rr6p-3pfg-562j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rr6p-3pfg-562j
- Aliases
- Published
- 2025-02-20T20:16:21Z
- Modified
- 2025-02-20T22:53:32Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- XWiki Platform allows remote code execution as guest via SolrSearchMacros request
- Details
-
Impact
Any guest can perform arbitrary remote code execution through a request to
SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.To reproduce on an instance, without being logged in, go to
<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed containsHello from search text:42, then the instance is vulnerable.Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in
Main.SolrSearchMacroscan be edited to match therawResponsemacro defined here with a content type ofapplication/xml, instead of simply outputting the content of the feed.References
- https://jira.xwiki.org/browse/XWIKI-22149
- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.
- Database specific
{ "nvd_published_at": "2025-02-20T20:15:46Z", "cwe_ids": [ "CWE-95" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-02-20T20:16:21Z" }- References
-
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
- https://nvd.nist.gov/vuln/detail/CVE-2025-24893
- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
- https://github.com/xwiki/xwiki-platform
- https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955
- https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824
- https://jira.xwiki.org/browse/XWIKI-22149
Affected packages
Maven / org.xwiki.platform:xwiki-platform-search-solr-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-search-solr-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-search-solr-ui
Maven / org.xwiki.platform:xwiki-platform-search-solr-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-search-solr-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-search-solr-ui