CVE-2024-55877
CRITICAL9.9EPSS 33.4%XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
描述
### Impact Any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to `Current User` and "Macro Description" to `{{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}`. Save the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`. ### References * https://jira.xwiki.org/browse/XWIKI-22030 * https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
受影響套件(1)
- Maven/org.xwiki.platform:xwiki-platform-help-ui>= 9.7-rc-1, < 15.10.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-55877
- PATCHhttps://github.com/xwiki/xwiki-platform
- WEBhttps://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
- WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c
- WEBhttps://jira.xwiki.org/browse/XWIKI-22030