Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-qx9h-c5v6-ghqh: org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

### Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. **Precondition**: As an admin, add the `Panels.IncludedDocuments` panel on one column. A proof of concept exploit is to edit a document and add the following code before saving. ``` {{display reference="{{cache~}~}{{groovy~}~}println(~"Hello from Groovy~" + ~" in included document!~"){{/groovy~}~}{{/cache~}~}"/}} ``` **expected** The right had side panels contain: ``` One included page: {{cache}}{{groovy}}println("Hello from Groovy" + " in included document!"){{/groovy}}{{/cache}} ``` **actual** The right had side panels contain: ``` One included page: XWiki.Hello from Groovy in included document! ``` ### Patches The problem has been patched on XWiki 14.4.7, and 14.10. ### Workarounds The issue can be fixed manually applying this [patch](h...

ghsa
Open in Source
#vulnerability#git#java#jira#maven
GHSA-4655-wh7v-3vmg: org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability

### Impact #### Steps to reproduce: It is possible to trick a user with programming rights into visiting <xwiki-host>/xwiki/bin/view/XWiki/LoggingAdmin?loggeraction_set=1&logger_name=%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dnew+File%28%22%2Ftmp%2Fexploit.txt%22%29.withWriter+%7B+out+-%3E+out.println%28%22created+from+notification+filter+preferences%21%22%29%3B+%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D&logger_level=TRACE where <xwiki-host> is the URL of your XWiki installation, e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights. #### Expected result: No file in /tmp/exploit.txt has been created. #### Actual result: The file `/tmp/exploit.txt` is been created with content "created from notification filter preferences!". This demonstrates a CSRF remote code execution vulnerability that could also be used for privilege escalation or data leaks (if the XWiki installation can reach remote hosts). ### Patches The problem has been pat...

GHSA-c5f4-p5wv-2475: xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

### Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. A proof of concept exploit is to edit a document and add the following code before saving. ``` {{display reference="{{cache~}~}{{groovy~}~}println(~"Hello from Groovy~" + ~" in included document!~"){{/groovy~}~}{{/cache~}~}"/}} ``` **expected** The right had side panels contain: ``` One included page: {{cache}}{{groovy}}println("Hello from Groovy" + " in included document!"){{/groovy}}{{/cache}} ``` **actual** The right had side panels contain: ``` One included page: XWiki.Hello from Groovy in included document! ``` ### Patches The problem has been patched on XWiki 14.4.7, and 14.10. ### Workarounds The issue can be fixed manually applying this [patch](https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419...

GHSA-w7v9-fc49-4qg4: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

### Impact Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. A proof of concept exploit is to open <xwiki-host>/xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where <xwiki-host> is the URL of your XWiki installation. ### Patches The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10. ### Workarounds The issue can be fixed manually applying this [patch](https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64). ### References - https://jira.xwiki.org/browse/XWIKI-20297 - https://github.com/xw...

GHSA-p9mj-v5mf-m82x: org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability

### Impact Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the [notification filters](https://extensions.xwiki.org/xwiki/bin/view/Extension/Notifications%20Application/#HFilters). These macros are used in the user profiles and thus installed by default in XWiki. A proof of concept exploit is ``` {{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}} {{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit...

GHSA-9pc2-x9qf-7j2q: org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability

### Impact Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the [legacy notification activity macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/Legacy%20Notification%20Activity%20Macro/). This macro is installed by default in XWiki. A proof of concept exploit is ``` {{activity wikis="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}"/}} ``` If the output of this macro is ``` The [notifications] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from Groovy!" displayMinorEvents="false" displayRSSLink="false" /}} ``` or similar, the XWiki installation is vulnerable. The vulnerability can be exploited via ever...

GHSA-4f8g-fq6x-jqrr: org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents

### Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. ### Patches The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it. ### Workarounds There is no workaround for this vulnerability other than upgrading. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285 * Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

GHSA-v5hq-cqqr-6w4g: Jenkins Kubernetes Plugin does not properly mask credentials

Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: - The credentials are printed in build steps executing on an agent (typically inside a node block). - Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch. The following plugins are affected by this vulnerability: - Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513) - Azure Key Vault 187.va_cd5fecd198a_ and earlier (SECURITY-3051 / CVE-2023-30514) - Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515) The following plugins have been updated to properly mask cr...

GHSA-gmxm-pr58-v5jc: Jenkins Azure Key Vault Plugin does not properly mask credentials

Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: - The credentials are printed in build steps executing on an agent (typically inside a node block). - Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch. The following plugins are affected by this vulnerability: - Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513) - Azure Key Vault 187.va_cd5fecd198a_ and earlier (SECURITY-3051 / CVE-2023-30514) - Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515) The following plugins have been updated to properly mask cr...

GHSA-38jc-2rwx-qgxr: Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default.