Описание
XWiki vulnerable to Denial of Service attack through attachments
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.
References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Пакеты
org.xwiki.platform:xwiki-platform-distribution-war
>= 14.10, < 14.10.18
14.10.18
org.xwiki.platform:xwiki-platform-distribution-war
>= 15.0-rc-1, < 15.5.3
15.5.3
org.xwiki.platform:xwiki-platform-distribution-war
>= 15.6-rc-1, < 15.8-rc-1
15.8-rc-1
Связанные уязвимости
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.