Introduction:
The XWiki Commons is a collection of libraries that are used across multiple top-level XWiki projects, providing the foundation for the XWiki platform. A recent security vulnerability, identified as CVE-2023-29507, has been discovered in the XWiki Commons, specifically within the Document script API. This flaw allows attackers to set any authors for a document, which can, in turn, lead to the unauthorized execution of scripts, as the document author is used to verify the necessary rights to run these scripts. Fortunately, the issue has been patched in XWiki versions 14.10 and 14.4.7 with a safe script API implementation.
Details of the Vulnerability
The issue arises as the Document script API in XWiki Commons returns a DocumentAuthors object, which allows any authors to be set for a specific document. As a result, this vulnerability can be exploited to bypass permission checks and execute scripts without proper authorization, potentially leading to malicious actions on the XWiki platform.
Here is a code snippet that demonstrates the problem
// Unsafe Document script API in XWiki Commons
def documentAuthors = xwiki.getDocument().getAuthors();
documentAuthors.setAuthor("attacker"); // attacker can set any author here
xwiki.getDocument().save();
By exploiting this vulnerability, an attacker could potentially gain unauthorized access to sensitive documents on the XWiki platform, modify content, and even execute other scripts, resulting in a significant compromise of the application's security.
To help illustrate the potential problems, let’s say there’s an XWiki administrator who can execute scripts, and a regular user who doesn't have the same permissions. The regular user attempts to run a script, and the platform checks the author's rights based on the document's set author, which should be the administrator. However, due to CVE-2023-29507, the user manages to set himself as the author, and the platform then allows the user to execute the script without proper authorization.
Patch and Fix
The issue was resolved in XWiki versions 14.10 and 14.4.7 with a safe script API implementation that effectively mitigates the vulnerability. The security patch ensures that only authorized authors can be set in the Document script API, thereby reducing the risk of unauthorized execution of scripts.
Here's a code snippet highlighting the patched, safe API
// Safe Document script API in XWiki Commons
def documentAuthors = xwiki.getDocument().getSafeAuthors();
documentAuthors.setAuthor("authorizedAuthor"); // Only authorized authors can now be set
xwiki.getDocument().save();
If you are using an affected version of XWiki, please update to version 14.10 or 14.4.7 immediately to protect your application from this vulnerability. Always ensure that you are using the latest and most secure version of software in your environment to reduce the risk of potential security breaches.
Original References
1. XWiki Security Advisory - CVE-2023-29507
2. XWiki Commons - Document Script API
3. XWiki 14.10 Release Notes
4. XWiki 14.4.7 Release Notes
Conclusion
The risk posed by the CVE-2023-29507 vulnerability in the XWiki Commons was significant, as it allowed attackers to manipulate document authors and bypass security checks, potentially granting them unauthorized access to execute scripts in the XWiki platform. The security patch released in XWiki 14.10 and 14.4.7 resolves this issue by implementing a safe script API that enforces proper authorization for setting document authors. Users are advised to update their XWiki instances to the latest patched version to ensure the security of their applications.
Timeline
Published on: 04/16/2023 07:15:00 UTC
Last modified on: 04/26/2023 17:51:00 UTC