CVE-2023-37913

Exploit

EPSS 1.08%
Veröffentlicht 25.10.2023 18:17:28
Zuletzt bearbeitet 21.11.2024 08:12:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 3.5 < 14.10.8

Xwiki ≫ Xwiki Version >= 15.0 < 15.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.08%	0.606

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m

Patch

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20715

Patch

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-37913

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37913

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37913

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-37913