GHSA-987P-R3JC-8C8V

Vulnerability from github – Published: 2025-04-29 13:59 – Updated: 2025-04-30 17:29
VLAI?
Summary
Solr script service doesn't take dropped programming right into account
Details

Impact

The Solr script service that is accessible in XWiki's scripting API normally requires programming right to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling $xcontext.dropPermissions(). If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script right to either cause a high load by indexing documents or to temporarily remove documents from the search index. We're not aware that this is exploitable in XWiki itself.

To reproduce, a user with programming right can add the following XWiki syntax to a page:

{{velocity}}
$xcontext.dropPermissions()
$services.solr.index('document:xwiki:Main.WebHome')
{{/velocity}}

This should trigger an error in XWiki's log, otherwise the installation is vulnerable.

Patches

This has been patched in XWiki 15.10.13, 16.8.0RC1, and 16.4.4.

Workarounds

We're not aware of any workarounds apart from being careful whom you grant script right.

Severity ?
3.8 (Low)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.1"
            },
            {
              "fixed": "15.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.8.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T13:59:45Z",
    "nvd_published_at": "2025-04-30T15:16:01Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe Solr script service that is accessible in XWiki\u0027s scripting API normally requires programming right to be called. Due to using the wrong API for checking rights, it doesn\u0027t take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script right to either cause a high load by indexing documents or to temporarily remove documents from the search index. We\u0027re not aware that this is exploitable in XWiki itself.\n\nTo reproduce, a user with programming right can add the following XWiki syntax to a page:\n```\n{{velocity}}\n$xcontext.dropPermissions()\n$services.solr.index(\u0027document:xwiki:Main.WebHome\u0027)\n{{/velocity}} \n```\n\nThis should trigger an error in XWiki\u0027s log, otherwise the installation is vulnerable.\n\n### Patches\nThis has been patched in XWiki 15.10.13, 16.8.0RC1, and 16.4.4.\n\n### Workarounds\nWe\u0027re not aware of any workarounds apart from being careful whom you grant script right.",
  "id": "GHSA-987p-r3jc-8c8v",
  "modified": "2025-04-30T17:29:21Z",
  "published": "2025-04-29T13:59:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-987p-r3jc-8c8v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/6570f40f976aec82baf388b5239d1412cab238c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Solr script service doesn\u0027t take dropped programming right into account"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.