Miggo Logo

CVE-2022-24898: Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

4.9

CVSS Score
3.1

Basic Information

EPSS Score
0.3314%
Published
4/28/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.commons:xwiki-commons-xmlmaven>= 2.7, < 12.10.1012.10.10
org.xwiki.commons:xwiki-commons-xmlmaven>= 13.0.0, < 13.4.413.4.4
org.xwiki.commons:xwiki-commons-xmlmaven>= 13.5-rc-1, <= 13.713.8-rc-1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient security settings in the XML parser. The patch explicitly adds three security parameters (DISABLE_EXTERNAL_DOCTYPE_DECLARATION, DISABLE_EXTERNAL_PARAMETER_ENTITIES, DISABLE_EXTERNAL_GENERAL_ENTITIES) to the DOM parser configuration in the parse() method. The presence of these parameters in the patch indicates the vulnerable code path was in the XML parsing logic handled by this function. The example exploit demonstrates direct usage of this function via $xml.parse(), confirming its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* in * s*ript to ****ss *ny *il* ****ssin* to t** us*r runnin* XWiki *ppli**tion s*rv*r wit* XML *xt*rn*l *ntity Inj**tion t*rou** t** XML s*ript s*rvi**. *or *x*mpl*: ``` {{v*lo*ity}} #s*t($xml=$s*rvi**s.**t('xml')) #s*t($x

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s**urity s*ttin*s in t** XML p*rs*r. T** p*t** *xpli*itly ***s t*r** s**urity p*r*m*t*rs (*IS**L*_*XT*RN*L_*O*TYP*_***L*R*TION, *IS**L*_*XT*RN*L_P*R*M*T*R_*NTITI*S, *IS**L*_*XT*RN*L_**N*R*L_*NTITI*S) to t** *