Headline
GHSA-8959-rfxh-r4j4: XWiki vulnerable to Denial of Service attack through attachments
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.
References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Package
maven org.xwiki.platform:xwiki-platform-distribution-war (Maven)
Affected versions
>= 14.10, < 14.10.18
>= 15.0-rc-1, < 15.5.3
>= 15.6-rc-1, < 15.8-rc-1
Patched versions
14.10.18
15.5.3
15.8-rc-1
Description
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.
References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
References
- GHSA-8959-rfxh-r4j4
- https://jira.xwiki.org/browse/XCOMMONS-2796
- https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar
tmortagne published to xwiki/xwiki-platform
Jan 8, 2024
Published to the GitHub Advisory Database
Jan 8, 2024
Reviewed
Jan 8, 2024
Last updated
Jan 8, 2024