GHSA-XM4H-3JXR-M3C6

Vulnerability from github – Published: 2024-04-10 17:13 – Updated: 2024-04-10 22:01
VLAI?
Summary
XWiki Platform: Remote code execution through space title and Solr space facet
Details

Impact

By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce, as a user without script nor programming rights, create a document with title {{/html}}{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}} and content Test Document. Using the search UI, search for "Test Document", then deploy the Location facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:

Hello from Groovy Title!
</a>
<div class="itemCount">1</div>
</li>
</ul>
{{/html}}

Patches

This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.

Workarounds

Modify the Main.SolrSpaceFacet page following this patch.

References

  • https://jira.xwiki.org/browse/XWIKI-21471
  • https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb
  • https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5
Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2-rc-1"
            },
            {
              "fixed": "14.10.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6-rc-1"
            },
            {
              "fixed": "15.10-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:13:15Z",
    "nvd_published_at": "2024-04-10T20:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nBy creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce, as a user without script nor programming rights, create a document with title `{{/html}}{{async}}{{groovy}}println(\"Hello from Groovy Title!\"){{/groovy}}{{/async}}` and content `Test Document`. Using the search UI, search for `\"Test Document\"`, then deploy the `Location` facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:\n```\nHello from Groovy Title!\n\u003c/a\u003e\n\u003cdiv class=\"itemCount\"\u003e1\u003c/div\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n{{/html}}\n```\n\n### Patches\nThis has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.\n\n### Workarounds\nModify the `Main.SolrSpaceFacet` page following this [patch](https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb#diff-22dd1949ed9019a39f2550f5a953a1a967c30a374dc9eeddb74069bf229b17d5).\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21471\n* https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb\n* https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5\n",
  "id": "GHSA-xm4h-3jxr-m3c6",
  "modified": "2024-04-10T22:01:16Z",
  "published": "2024-04-10T17:13:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform: Remote code execution through space title and Solr space facet"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.