2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29253

GHSA ID

GHSA-9qrp-h7fw-42hg

EPSS Score

0.19957%

CWE

CWE-22

Published

6/1/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29253

CVE-2022-29253: Path Traversal in XWiki Platform

Impact

One can ask for any file located in the classloader using the template API and a path with ".." in it. For example

{{template name="../xwiki.hbm.xml"/}}

To our knownledge none of the available files of the classloader in XWiki Standard contain any strong confidential data, hence the low confidentiality value of this advisory.

Patches

The issue is patched in versions 14.0 and 13.10.3.

Workarounds

There's no easy workaround for this issue, administrators should upgrade their wiki.

References

https://jira.xwiki.org/browse/XWIKI-19349
https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at security mailing list

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29253

GHSA ID

GHSA-9qrp-h7fw-42hg

EPSS Score

0.19957%

CWE

CWE-22

Published

6/1/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 8.3-rc-1, < 13.10.3	13.10.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path sanitization in the classloader template resolution logic. The commit patching the issue adds critical path normalization and a directory traversal check to 'getClassloaderTemplate' in InternalTemplateManager.java, specifically verifying that the normalized path starts with the expected 'prefixPath'. This directly addresses the path traversal vulnerability described in the advisory. The function's pre-patch behavior of blindly concatenating user-controlled 'templateName' with 'suffixPath' (later renamed to 'prefixPath') without validation is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t On* **n *sk *or *ny *il* lo**t** in t** *l*sslo***r usin* t** t*mpl*t* *PI *n* * p*t* wit* ".." in it. *or *x*mpl* ``` {{t*mpl*t* n*m*="../xwiki.**m.xml"/}} ``` To our knownl**** non* o* t** *v*il**l* *il*s o* t** *l*sslo***r in XWiki

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion in t** *l*sslo***r t*mpl*t* r*solution lo*i*. T** *ommit p*t**in* t** issu* ***s *riti**l p*t* norm*liz*tion *n* * *ir**tory tr*v*rs*l ****k to '**t*l*sslo***rT*mpl*t*' in Int*rn*lT*mpl*t*M*n***

2.7

Basic Information

Concerned about an active attack path?

CVE-2022-29253: Path Traversal in XWiki Platform

Impact

Patches

Workarounds

References

For more information

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI