Lucene search

[email protected]NVD:CVE-2024-21651

HistoryJan 09, 2024 - 12:15 a.m.

CVE-2024-21651

2024-01-0900:15:44

CWE-400

[email protected]

web.nvd.nist.gov

xwiki platform

file attachment

denial of service

vulnerability

patched

versions 14.10.18

15.5.3

15.8 rc1

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.3%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

Affected configurations

NVD

Node

xwikixwikiRange14.10–14.10.18

xwikixwikiRange15.5–15.5.3

xwikixwikiRange15.6–15.8

References

github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4

jira.xwiki.org/browse/XCOMMONS-2796

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.3%

JSON

Related for NVD:CVE-2024-21651

cve1 github1 osv2 prion1 cvelist1