6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15171

GHSA ID

GHSA-7qw5-pqhc-xm4g

EPSS Score

0.71846%

CWE

CWE-74

Published

9/10/2020

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15171

CVE-2020-15171: Users with SCRIPT right can execute arbitrary code in XWiki

Impact

Any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution.

Patches

It has been patched in both version XWiki 12.2.1 and XWiki 11.10.5.

Workarounds

The only workaround is to give SCRIPT right only to trusted users.

References

https://jira.xwiki.org/browse/XWIKI-17141 https://jira.xwiki.org/browse/XWIKI-17266

It's been reported by the GitHub Security Lab under #GHSL-2020-046.

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at our security mailing list

(GitHub Advisory)

6.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15171

GHSA ID

GHSA-7qw5-pqhc-xm4g

EPSS Score

0.71846%

CWE

CWE-74

Published

9/10/2020

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-oldcore	maven	< 11.10.5	11.10.5
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 12.0.0, < 12.2.1	12.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from exposing the ServletContext to users with SCRIPT rights via the $request binding. The XWikiServletRequestStub class likely provides access to the ServletContext through getServletContext(), which would be dangerous if accessible in scripts. The XWikiScriptContextManager's role in binding the request object to the scripting context makes it a key enabler of this exposure. These functions together allow attackers to reach Java reflection capabilities through the ServletContext, aligning with the described injection and code execution vectors (CWE-74/CWE-94).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r wit* S*RIPT ri**t (**IT ri**t ***or* XWiki *.*) **n **in ****ss to t** *ppli**tion s*rv*r S*rvl*t *ont*xt w*i** *ont*ins tools *llowin* to inst*nti*t* *r*itr*ry J*v* o*j**ts *n* invok* m*t*o*s t**t m*y l*** to *r*itr*ry *o** *x**

Reasoning

T** vuln*r**ility st*ms *rom *xposin* t** `S*rvl*t*ont*xt` to us*rs wit* S*RIPT ri**ts vi* t** `$r*qu*st` *in*in*. T** `XWikiS*rvl*tR*qu*stStu*` *l*ss lik*ly provi**s ****ss to t** `S*rvl*t*ont*xt` t*rou** `**tS*rvl*t*ont*xt()`, w*i** woul* ** **n**r

6.6

Basic Information

Concerned about an active attack path?

CVE-2020-15171: Users with SCRIPT right can execute arbitrary code in XWiki

Impact

Patches

Workarounds

References

For more information

6.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI