CVE-2022-41931 - xwiki-platform-icon-ui Eval Injection Vulnerability and Mitigation

The open-source web-based wiki software XWiki is affected by a critical security vulnerability called CVE-2022-41931. This vulnerability is due to improper neutralization of directives in dynamically evaluated code, also known as 'Eval Injection', in the xwiki-platform-icon-ui component. This post will provide a detailed explanation of the vulnerability, a code snippet showcasing the issue, links to original references, and steps to mitigate the problem. Users running XWiki 13.10.7, 14.5, and 14.4.2 are advised to upgrade immediately.

Vulnerability Details

XWiki's icon picker macro is designed to facilitate the selection of icons for documents like pages, blog posts, and attachments. Due to improper neutralization of the macro parameters of the icon picker macro, any XWiki user with view rights on commonly accessible documents that include the icon picker macro can execute arbitrary Groovy, Python, or Velocity code. The vulnerable component is the xwiki-platform-icon-ui.

A successful exploitation allows an attacker to run arbitrary code, potentially leading to unauthorized access, data theft, or denial-of-service.

The following code snippet demonstrates the problematic implementation of the icon picker macro

#macro(iconPicker $iconSetName $iconName $outputSyntax='xhtml/1.' $iconSetDocument $iconSetVersion $iconThemePage)
  ...
  #set($getIconSet = "getIconSetFromDocument('$iconSetDocument', $!iconSetVersion)")
  #set($iconDoc = $xwiki.getDocument($iconSetDocument))
  ...
  #set($idGetter = "get${iconSetName}IconSetId")
  #set($urlGetter = "get${iconSetName}IconSetUrl")
  ...
  #set($iconSetName = $iconSetDoc.getValue($typeKey))
  ...
  #evaluate($services.icon.theme.${idGetter}($iconSetName, $iconThemePage))Get the icon set URL
  #evaluate($services.icon.theme.${urlGetter}($iconSetName, $iconThemePage))
...
#end

As seen in the snippet, the macro uses the #evaluate directive and concatenates user-controlled input ($iconSetName), leading to the vulnerability.

- CVE-2022-41931 - NVD
- XWiki Security Advisory
- Patch Commit on GitHub

How to Mitigate the Vulnerability

The issue has been fixed in XWiki versions 13.10.7, 14.5, and 14.4.2. Users are advised to upgrade to the patched versions immediately.

Users who cannot upgrade immediately can apply the following workarounds

1. Manually apply the patch by editing IconThemesCode.IconPickerMacro in the object editor.
2. Replace the whole document with the patched version by importing the document from the XAR archive of a fixed version. The changes only include security fixes and minor formatting updates.

Conclusion

CVE-2022-41931 is a critical security vulnerability in XWiki that allows unauthorized code execution through the icon picker macro. It is highly recommended to apply the patch or upgrade to the latest version to ensure your environment's security. Regularly updating your software and paying close attention to security advisories are essential practices to safeguard against such vulnerabilities.

Timeline

Published on: 11/23/2022 20:15:00 UTC
Last modified on: 11/30/2022 17:00:00 UTC