Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-VCVR-V426-3M3M
HistoryOct 25, 2023 - 9:08 p.m.

org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter

2023-10-2521:08:32
CWE-22
GitHub Advisory Database
github.com
13
xwiki
office converter
vulnerability
arbitrary file writing
java process
attachment moving
rest api
exploitation
mime type
xwiki installation
linux
patch
workaround
jira issue
github commit
software

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

30.5%

JSON

Impact

Triggering the office converter with a specially crafted file name allows writing the attachment’s content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn’t remove / or \ from the filename. As the mime type of the attachment doesn’t matter for the exploitation, this could e.g., be used to replace the jar-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. To reproduce the issue on versions since XWiki 14.0, execute the following steps:

  1. Activate the office server
  2. Upload an arbitrary file with the extension .doc, e.g., to your user profile (you can use a regular plain text file, only the extension matters).
  3. Use the attachment move feature to rename the file to …/…/…/…/…/tmp/Hello from XWiki.txt where the latter part is the location of a file you want to write on the server. The number of …/ depends on the directory depth, the provided example should work on Linux with the demo distribution.
  4. Click the “preview” link to trigger the office converter

For information how to reproduce on older versions, see the Jira issue.

To the best of our knowledge, this attack is not possible when the office conversion process doesn’t run as the code fails before the file is written.

Patches

This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1.

Workarounds

There are no known workarounds apart from disabling the office converter.

References

Affected configurations

Vulners
Node
org.xwiki.platform\xwikiMatchplatform
OR
org.xwiki.platform\xwikiMatchplatform
OR
org.xwiki.platform\xwikiMatchplatform

Related

osv 2
cve 1
cvelist 1
prion 1
openvas 1
nvd 1
osv
osv
CVE-2023-37913
2023-10-25 18:17:28
org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter
2023-10-25 21:08:32
cve
cve
CVE-2023-37913
2023-10-25 18:17:28
cvelist
cvelist
CVE-2023-37913 org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter
2023-10-25 17:59:46
prion
prion
Code injection
2023-10-25 18:17:00
openvas
openvas
XWiki 3.5-milestone-1 < 14.10.8, 15.0-rc-1 < 15.3-rc-1 XSS Vulnerability (GHSA-vcvr-v426-3m3m)
2023-11-16 00:00:00
nvd
nvd
CVE-2023-37913
2023-10-25 18:17:28

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

30.5%

JSON
Related for GHSA-VCVR-V426-3M3M
osv2cve1cvelist1prion1openvas1nvd1