CVE-2022-24898

Опубликовано: 28 апр. 2022

Источник: nvd

CVSS3: 4.9

CVSS2: 4

EPSS Низкий

Описание

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

Ссылки

https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-18946
Exploit
Vendor Advisory
https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-18946
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*

Версия от 2.7 (включая) до 12.10.10 (исключая)

cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*

Версия от 13.0 (включая) до 13.4.4 (исключая)

cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*

Версия от 13.5 (включая) до 13.8 (исключая)

EPSS

Процентиль: 32%

0.00127

Низкий

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-m2r5-4w96-qxg5

CVSS3: 4.9

github

почти 4 года назад

Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

EPSS

Процентиль: 32%

0.00127

Низкий

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-611