4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24898

GHSA ID

GHSA-m2r5-4w96-qxg5

EPSS Score

0.3314%

CWE

CWE-611

Published

4/28/2022

Updated

1/30/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24898

CVE-2022-24898: Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Impact

It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.

For example:

{{velocity}}
#set($xml=$services.get('xml'))
#set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>")
#set($doc=$xml.parse($xxe_payload))
$xml.serialize($doc)
{{/velocity}}

Patches

The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1.

Workarounds

There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

References

https://jira.xwiki.org/browse/XWIKI-18946

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at XWiki Security mailing-list

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24898

GHSA ID

GHSA-m2r5-4w96-qxg5

EPSS Score

0.3314%

CWE

CWE-611

Published

4/28/2022

Updated

1/30/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.commons:xwiki-commons-xml	maven	>= 2.7, < 12.10.10	12.10.10
org.xwiki.commons:xwiki-commons-xml	maven	>= 13.0.0, < 13.4.4	13.4.4
org.xwiki.commons:xwiki-commons-xml	maven	>= 13.5-rc-1, <= 13.7	13.8-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient security settings in the XML parser. The patch explicitly adds three security parameters (DISABLE_EXTERNAL_DOCTYPE_DECLARATION, DISABLE_EXTERNAL_PARAMETER_ENTITIES, DISABLE_EXTERNAL_GENERAL_ENTITIES) to the DOM parser configuration in the parse() method. The presence of these parameters in the patch indicates the vulnerable code path was in the XML parsing logic handled by this function. The example exploit demonstrates direct usage of this function via $xml.parse(), confirming its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* in * s*ript to ****ss *ny *il* ****ssin* to t** us*r runnin* XWiki *ppli**tion s*rv*r wit* XML *xt*rn*l *ntity Inj**tion t*rou** t** XML s*ript s*rvi**. *or *x*mpl*: ``` {{v*lo*ity}} #s*t($xml=$s*rvi**s.**t('xml')) #s*t($x

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s**urity s*ttin*s in t** XML p*rs*r. T** p*t** *xpli*itly ***s t*r** s**urity p*r*m*t*rs (*IS**L*_*XT*RN*L_*O*TYP*_***L*R*TION, *IS**L*_*XT*RN*L_P*R*M*T*R_*NTITI*S, *IS**L*_*XT*RN*L_**N*R*L_*NTITI*S) to t** *

4.9

Basic Information

Concerned about an active attack path?

CVE-2022-24898: Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Impact

Patches

Workarounds

References

For more information

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI