SB2024010844 - Multiple vulnerabilities in XWiki platform

Security Bulletin ID SB2024010844

CSH Severity

High

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2024-21651)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the attachment parsing functionality when processing a malformed TAR attachment with manipulated file modification time headers through Tika. A remote attacker can upload a specially crafted TAR file to cause a denial of service.

Exploitation requires the ability to attach a file to a page.

2) Eval Injection (CVE-ID: CVE-2024-21650)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the user registration feature when processing user-supplied "first name" or "last name" fields during registration. A remote attacker can submit crafted registration data to execute arbitrary code.

Only installations that have user registration enabled for guests are vulnerable.

3) Improper Handling of Insufficient Privileges (CVE-ID: CVE-2024-21648)

The vulnerability allows a remote user to gain rights they do not have anymore.

The vulnerability exists due to improper handling of insufficient privileges in the rollback action when performing a page rollback. A remote user can roll back a page to a previous version to gain rights they do not have anymore.

User interaction is required.

Remediation

Install update from vendor's website.

SB2024010844 - Multiple vulnerabilities in XWiki platform

Breakdown by Severity

Description

Remediation

References

Please verify you're human