cve-2023-37913
Vulnerability from cvelistv5
Published
2023-10-25 17:59
Modified
2024-09-12 20:46
Severity ?
EPSS score ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter.
References
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544 | Patch | |
security-advisories@github.com | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m | Patch, Vendor Advisory | |
security-advisories@github.com | https://jira.xwiki.org/browse/XWIKI-20715 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544 | Patch | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m | Patch, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XWIKI-20715 | Exploit, Issue Tracking, Patch, Vendor Advisory |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | xwiki | xwiki-platform |
Version: >= 3.5-milestone-1, < 14.10.8 Version: >= 15.0-rc-1, < 15.3-rc-1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T17:23:27.718Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m" }, { "name": "https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544" }, { "name": "https://jira.xwiki.org/browse/XWIKI-20715", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://jira.xwiki.org/browse/XWIKI-20715" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-37913", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T18:32:37.490648Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-12T20:46:58.102Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "xwiki-platform", "vendor": "xwiki", "versions": [ { "status": "affected", "version": "\u003e= 3.5-milestone-1, \u003c 14.10.8" }, { "status": "affected", "version": "\u003e= 15.0-rc-1, \u003c 15.3-rc-1" } ] } ], "descriptions": [ { "lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment\u0027s content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn\u0027t remove `/` or `\\` from the filename. As the mime type of the attachment doesn\u0027t matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-25T21:08:21.515Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m" }, { "name": "https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544" }, { "name": "https://jira.xwiki.org/browse/XWIKI-20715", "tags": [ "x_refsource_MISC" ], "url": "https://jira.xwiki.org/browse/XWIKI-20715" } ], "source": { "advisory": "GHSA-vcvr-v426-3m3m", "discovery": "UNKNOWN" }, "title": "org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-37913", "datePublished": "2023-10-25T17:59:46.290Z", "dateReserved": "2023-07-10T17:51:29.611Z", "dateUpdated": "2024-09-12T20:46:58.102Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-37913\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-25T18:17:28.687\",\"lastModified\":\"2024-11-21T08:12:27.470\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment\u0027s content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn\u0027t remove `/` or `\\\\` from the filename. As the mime type of the attachment doesn\u0027t matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter.\"},{\"lang\":\"es\",\"value\":\"XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. A partir de la versi\u00f3n 3.5-milestone-1 y antes de las versiones 14.10.8 y 15.3-rc-1, activar el convertidor de Office con un nombre de archivo especialmente manipulado permite escribir el contenido del archivo adjunto en una ubicaci\u00f3n controlada por el atacante en el servidor siempre que el proceso Java tiene acceso de escritura a esa ubicaci\u00f3n. En particular, en la combinaci\u00f3n con el movimiento de archivos adjuntos, una caracter\u00edstica introducida en XWiki 14.0, esto es f\u00e1cil de reproducir pero tambi\u00e9n es posible reproducir en versiones tan antiguas como XWiki 3.5 cargando el archivo adjunto a trav\u00e9s de la API REST que no elimina `/` o `\\\\` del nombre del archivo. Como el tipo mime del archivo adjunto no importa para la explotaci\u00f3n, esto podr\u00eda usarse, por ejemplo, para reemplazar el archivo `jar` por una extensi\u00f3n que permitir\u00eda ejecutar c\u00f3digo Java arbitrario y, por lo tanto, afectar\u00eda la confidencialidad, integridad y disponibilidad de la instalaci\u00f3n de XWiki. Esta vulnerabilidad ha sido parcheada en XWiki 14.10.8 y 15.3RC1. No se conocen workarounds aparte de desactivar el convertidor de Office.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-23\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5\",\"versionEndExcluding\":\"14.10.8\",\"matchCriteriaId\":\"80C139ED-96A3-417E-A6E0-3C661572BFC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"15.0\",\"versionEndExcluding\":\"15.3\",\"matchCriteriaId\":\"8B184228-E638-401A-ABF5-6D2ED76DF8CB\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-20715\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-20715\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.