Headline
CVE-2023-26559: SYNC-2023-042301 - Directory Traversal
A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)
Severity: Low2023-04-07
Security Advisories
Abstract
A directory traversal vulnerability in Oxygen XML Web Author before 25.0.0.3 build 2023021715 and Oxygen Content Fusion before 5.0.3 build 2023022015 allows an attacker to read files from a WEB-INF directory via a crafted HTTP request. (XML Web Author 24.1.0.3 build 2023021714 and 23.1.1.4 build 2023021715 are also fixed versions.)
The Oxygen products incorporate $LIBRARY$ as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions****Mitigation****Oxygen XML Web Author
If for whatever reason you cannot secure your Oxygen XML Web Author service by updating it using the kits above-mentioned, as an alternate solution you can disable caching in Tomcat:
- locate the context.xml file that is usually located in tomcat/conf/ folder
- edit the context.xml file and add the following code snippet in the root element: <Resources cachingAllowed="false"/>
- restart the Tomcat server
Please note that the installation of the kits is the preferred solution, and the workaround should only be considered as a temporary measure until the kits can be used.
Oxygen Content Fusion
If for whatever reason you cannot secure your Oxygen Content Fusion by updating it using the kit above-mentioned, as a security workaround you can disable caching in Tomcat for the Web Author service by following the below steps for Content Fusion 5.0:
- open a shell (SSH) inside the server where Content Fusion is installed and run the following commands:
- export VERSION=5.0
- sudo docker tag oxygenxml/webreviewer-webauthor:v$VERSION oxygenxml/webreviewer-webauthor:v$VERSION-backup
- sudo docker create --name tmp oxygenxml/webreviewer-webauthor:v$VERSION
- sudo docker cp tmp:/tomcat/conf/context.xml context-to-fix.xml
- sed -i ‘s/<\/Context>/<Resources cachingAllowed="false"\/><\/Context>/g’ context-to-fix.xml
- sudo docker cp context-to-fix.xml tmp:/tomcat/conf/context.xml
- sudo docker commit tmp oxygenxml/webreviewer-webauthor:v$VERSION
- sudo docker rm tmp
- rm -rf context-to-fix.xml
- restart the server, see this documentation topic.
For Content Fusion 4.1 use the above procedure but instead of export VERSION=5.0 run export VERSION=4.1.
Note that the installation of the kit is the preferred solution, and the workaround should only be considered as a temporary measure until the kits can be used.
Detail
SYNC-2023-042301
Severity: High
CVSS Score: 7.5
Using special requests, a remote attacker may read files from WEB-INF directory of Oxygen XML Web Author application. However, by default, this directory does not contain sensitive information so the severity of this issue should be seen as low.
List of Security Advisories