CVE-2023-40573 - XWiki Platform Remote Code Execution Vulnerability Affecting Scheduled Jobs

----

XWiki Platform (version<=14.10.8 and version < 15.4RC1) is found vulnerable to a security flaw with the Common Vulnerabilities and Exposures identifier CVE-2023-40573. This vulnerability allows an attacker with wiki edit rights to perform remote code execution by exploiting a CSRF issue in the job scheduler and a misconfiguration in the groovy script author checking procedure.

BACKGROUND

XWiki Platform is a highly customizable generic wiki platform that offers a plethora of runtime services for applications built on top of it. One of the key features of XWiki Platform is its support for scheduled jobs. These jobs primarily contain Groovy scripts which could be scheduled to be executed at a specified interval of time.

VULNERABILITY DETAILS

The vulnerability arises from the fact that currently, the job scheduler checks the content author of the Groovy script for programming right while modifying or adding a job script to a document without updating the content author. As a result, an attacker with edit rights on the wiki could trigger remote code execution by exploiting a CSRF (Cross-Site Request Forgery) vulnerability in the job scheduler.

Upon successful exploitation, an error log entry with "Job content executed" message will be produced, indicating the vulnerability has been exploited.

The following code snippet demonstrates how the vulnerability could be exploited

// Assume the attacker has wiki edit rights
// Attacker creates a new Groovy script scheduled job

jobDocument = xwiki.getDocument('XWiki.MyJob')
jobDocument.setContentAuthor('XWiki.Admin') // Original content author with programming right
jobDocument.setContent( """
    // Job Groovy script goes here, which could be potentially malicious
    println "Job content executed"
""")
jobDocument.save()

// Attacker triggers the scheduler with CSRF
xwiki.csrf.exemptions.add('scheduler') // Adding scheduler to CSRF exemptions list
curl -b "JSESSIONID=<attackerSession>" \
"http://wiki.example.com/xwiki/bin/view/Scheduler/JobLastReport?jobType=executiondate&amp;amp;jobName=$\{jobDocument.prefixedFullName}%252515-21T07%3A35%3A00.000%252B02%3A00";

SOLUTION

The vulnerability has been fixed in XWiki Platform 14.10.9 and 15.4RC1. It is strongly recommended to upgrade the platform to the latest patched versions.

*Original references:*

- XWiki Patch information: 14.10.9 Release Notes
- XWiki Patch information: 15.4RC1 Release Notes
- XWiki Security Advisories: CVE-2023-40573

To ensure the security and stability of the platform, users are advised to stay informed of security updates through the official XWiki security advisories page and apply patches as soon as possible.

Timeline

Published on: 08/24/2023 02:15:00 UTC
Last modified on: 09/01/2023 17:09:00 UTC