GHSA-vxwr-wpjv-qjq7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vxwr-wpjv-qjq7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-vxwr-wpjv-qjq7/GHSA-vxwr-wpjv-qjq7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vxwr-wpjv-qjq7
- Aliases
- Published
- 2024-04-10T17:11:45Z
- Modified
- 2024-04-10T22:00:51Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- XWiki Platform: Privilege escalation (PR) from user registration through PDFClass
- Details
-
Impact
Remote code execution is possible via PDF export templates. To reproduce on an installation, register a new user account with username
PDFClassifXWiki.PDFClassdoes not exist. OnXWiki.PDFClass, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text". Then, add an object of classPDFClassand set the "style" attribute to$services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')"). Finally, go to<host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable.Patches
This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1.
Workarounds
If PDF templates are not typically used on the instance, an administrator can create the document
XWiki.PDFClassand block its edition, after making sure that it does not contain astyleattribute. Otherwise, the instance needs to be updated.References
- https://jira.xwiki.org/browse/XWIKI-21337
- https://github.com/xwiki/xwiki-platform/commit/d28e21a670c69880b951e415dd2ddd69d273eae9
- Database specific
{ "nvd_published_at": "2024-04-10T20:15:08Z", "cwe_ids": [ "CWE-862" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-10T17:11:45Z" }- References
-
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxwr-wpjv-qjq7
- https://nvd.nist.gov/vuln/detail/CVE-2024-31981
- https://github.com/xwiki/xwiki-platform/commit/480186f9d2fca880513da8bc5a609674d106cbd3
- https://github.com/xwiki/xwiki-platform/commit/a4ad14d9c1605a5ab957237e505ebbb29f5b9d73
- https://github.com/xwiki/xwiki-platform/commit/d28e21a670c69880b951e415dd2ddd69d273eae9
- https://github.com/xwiki/xwiki-platform
- https://jira.xwiki.org/browse/XWIKI-21337
Affected packages
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore