Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8959-rfxh-r4j4: XWiki vulnerable to Denial of Service attack through attachments

Impact

A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.

Patches

This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

Workarounds

The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.

References

https://jira.xwiki.org/browse/XCOMMONS-2796

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#web#dos#apache#git#java#jira#maven

Package

maven org.xwiki.platform:xwiki-platform-distribution-war (Maven)

Affected versions

>= 14.10, < 14.10.18

>= 15.0-rc-1, < 15.5.3

>= 15.6-rc-1, < 15.8-rc-1

Patched versions

14.10.18

15.5.3

15.8-rc-1

Description

Impact

A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.

Patches

This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

Workarounds

The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.

References

https://jira.xwiki.org/browse/XCOMMONS-2796

For more information

If you have any questions or comments about this advisory:

  • Open an issue in Jira XWiki.org
  • Email us at Security Mailing List

References

  • GHSA-8959-rfxh-r4j4
  • https://jira.xwiki.org/browse/XCOMMONS-2796
  • https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar

tmortagne published to xwiki/xwiki-platform

Jan 8, 2024

Published to the GitHub Advisory Database

Jan 8, 2024

Reviewed

Jan 8, 2024

Last updated

Jan 8, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames