Lucene search

[email protected]CVE-2024-21651

HistoryJan 09, 2024 - 12:15 a.m.

CVE-2024-21651

2024-01-0900:15:44

CWE-400

[email protected]

web.nvd.nist.gov

xwiki

platform

wiki

tar

file

attachment

dos

tika

cpu consumption

vulnerability

patch

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

Affected configurations

Vulners

NVD

Node

xwikixwikiRange14.10–14.10.18

xwikixwikiRange15.0-rc-1–15.5.3

xwikixwikiRange15.6-rc-1–15.8-rc-1

VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 14.10, < 14.10.18",
        "status": "affected"
      },
      {
        "version": ">= 15.0-rc-1, < 15.5.3",
        "status": "affected"
      },
      {
        "version": ">= 15.6-rc-1, < 15.8-rc-1",
        "status": "affected"
      }
    ]
  }
]