XWiki Platform, a widely used wiki platform providing runtime services for applications, has been found to contain a critical security vulnerability that allows for the execution of arbitrary Groovy, Python, or Velocity code. This can lead to unauthenticated remote code execution and, ultimately, full unauthorized access to the XWiki installation. This vulnerability has been assigned the ID CVE-2022-41934.
Details
The vulnerability exists due to improper escaping of macro content and parameters within the menu macro, allowing any user with view rights on commonly accessible documents to execute arbitrary code.
Exploit
An attacker can craft a malicious menu macro, such as the following example, to take advantage of the vulnerable menu macro:
#groovy('import org.xwiki.rendering.transformation.macro.MacroBinding;new MacroBinding("name", {"name": [["user": "x"], ["content": "arbitrary code"]]}, ["id": "macro"], [:]).execute()')
Mitigation
XWiki has released patches for the affected versions, which have been applied in XWiki 14.6RC1, 13.10.8, and 14.4.3. To fix the vulnerability, follow one of these steps:
Import a XAR archive containing a patched version of the Menu.MenuMacro.
For users on XWiki 11.6 or later, the patch for version 13.10.8 (commit 59ccca24a) can most likely be applied. If you're using XWiki 14. or later, the patched versions in XWiki 14.6 and 14.4.3 should be appropriate.
Original References
- XWiki Security Advisory: CVE-2022-41934
- Vulnerability Patch Commit: 2fc20891
- Patch for XWiki 11.6 or Later: 59ccca24a
Conclusion
To protect your XWiki installation from this unauthenticated remote code execution vulnerability, it is highly recommended to upgrade to a patched version or apply the appropriate patch for the Menu.MenuMacro document. Ensuring your XWiki platform is updated will keep its content and applications secure against unauthorized access and exploitation.
Timeline
Published on: 11/23/2022 20:15:00 UTC
Last modified on: 11/30/2022 17:30:00 UTC