GHSA-GX4F-976G-7G6V
Vulnerability from github – Published: 2023-03-08 17:19 – Updated: 2023-03-08 17:19Impact
Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.
Example to reproduce:
* Create a forget XAR file and inside it, have the following package.xml content:
```xml
]>
&xxe;
&xxe; Helper pages for creating and listing Class/Template/Sheets
XWiki.Admin
...
``
* Upload it onto a wiki page (e.g.XXE) as an attachment (e.g.test.xar).
* Call the page usinghttp://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar`
You'll then notice that the displayed UI contains the content of the /etc/passwd file.
Patches
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.
Workarounds
You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).
References
- https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
- https://jira.xwiki.org/browse/XWIKI-20320
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-xar-model"
},
"ranges": [
{
"events": [
{
"introduced": "1.1-milestone-3"
},
{
"fixed": "13.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-xar-model"
},
"ranges": [
{
"events": [
{
"introduced": "14.0"
},
{
"fixed": "14.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-xar-model"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27480"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-08T17:19:30Z",
"nvd_published_at": "2023-03-07T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nAny user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.\n\nExample to reproduce:\n* Create a forget XAR file and inside it, have the following `package.xml` content:\n ```xml\n \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n \u003c!DOCTYPE foo [ \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e ]\u003e\n\n \u003cpackage\u003e\n \u003cinfos\u003e\n \u003cname\u003e\u0026xxe;\u003c/name\u003e\n \u003cdescription\u003e \u0026xxe; Helper pages for creating and listing Class/Template/Sheets\u003c/description\u003e\n \u003clicence\u003e\u003c/licence\u003e\n \u003cauthor\u003eXWiki.Admin\u003c/author\u003e\n ...\n ```\n* Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`).\n* Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet\u0026file=test.xar`\n\nYou\u0027ll then notice that the displayed UI contains the content of the `/etc/passwd` file.\n\n### Patches\nThe vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.\n\n### Workarounds\nYou\u0027d need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the `XarPackage` java class and then copy the modified version to your `WEB-INF/classes` directory (or rebuild the `xwiki-platform-xar-model` maven module and replace the one found in `WEB-INF/lib/`).\n\n### References\n* https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434\n* https://jira.xwiki.org/browse/XWIKI-20320\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-gx4f-976g-7g6v",
"modified": "2023-03-08T17:19:30Z",
"published": "2023-03-08T17:19:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27480"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20320"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.