CVE-2022-29253

Опубликовано: 25 мая 2022

Источник: nvd

CVSS3: 2.7

CVSS2: 4

EPSS Низкий

Описание

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19349
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19349
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 8.4 (включая) до 13.10.3 (исключая)

cpe:2.3:a:xwiki:xwiki:8.3:rc1:*:*:*:*:*:*

EPSS

Процентиль: 20%

0.00063

Низкий

2.7 Low

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-9qrp-h7fw-42hg