GHSA-9qrp-h7fw-42hg: Path Traversal in XWiki Platform

Package

maven org.xwiki.platform:xwiki-platform-oldcore (Maven )

Affected versions

>= 8.3-rc-1, < 13.10.3

Patched versions

13.10.3

Description

Impact

One can ask for any file located in the classloader using the template API and a path with “…” in it. For example

{{template name="../xwiki.hbm.xml"/}}

To our knownledge none of the available files of the classloader in XWiki Standard contain any strong confidential data, hence the low confidentiality value of this advisory.

Patches

The issue is patched in versions 14.0 and 13.10.3.

Workarounds

There’s no easy workaround for this issue, administrators should upgrade their wiki.

References

• https://jira.xwiki.org/browse/XWIKI-19349
• xwiki/xwiki-platform@4917c8f

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira XWiki
• Email us at security mailing list

References

• GHSA-9qrp-h7fw-42hg
• https://nvd.nist.gov/vuln/detail/CVE-2022-29253
• xwiki/xwiki-platform@4917c8f
• https://jira.xwiki.org/browse/XWIKI-19349

surli published the maintainer security advisory

May 25, 2022

Severity

Low

2.7

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE-22

CVE ID

CVE-2022-29253

GHSA ID

GHSA-9qrp-h7fw-42hg

Source code

xwiki/xwiki-platform

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.