Miggo Logo
Miggo Vulnerability Database
CVE-2023-26470

CVE-2023-26470: XWiki Platform subject to Uncontrolled Resource Consumption

5.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26470
GHSA ID
GHSA-92wp-r7hm-42g7
EPSS Score
0.42681%
CWE
CWE-400
Published
3/3/2023
Updated
3/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-oldcoremaven< 14.0-rc-114.0-rc-1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how XWikiDocument stored objects in a list structure (TreeMap of Lists) where high object numbers created millions of null entries. The critical functions are those manipulating object indices (createXObject, setXObject, setXObjects) which allowed unbounded list growth. The patch replaced the list with a map-based structure (BaseObjects) to eliminate null entries, confirming the original list-handling functions were vulnerable. The confidence is high due to direct correlation between the attack vector (high index insertion) and the patched storage mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to m*k* t** **rm unus**l* *y ***in* *n o*j**t to * p*** wit* * *u** num**r (*.*. ********). T*is will most o* t** tim* *ill t** m*mory *llo**t** to XWiki *n* m*k* it unus**l* *v*ry tim* t*is *o*um*nt is m*nipul*t**. ### P*t

Reasoning

T** vuln*r**ility st*ms *rom *ow `XWiki*o*um*nt` stor** o*j**ts in * list stru*tur* (Tr**M*p o* Lists) w**r* *i** o*j**t num**rs *r**t** millions o* null *ntri*s. T** *riti**l *un*tions *r* t*os* m*nipul*tin* o*j**t in*i**s (`*r**t*XO*j**t`, `s*tXO*j