CVE-2022-36100

XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.

XWiki Platform Applications Tag y XWiki Platform Tag UI son aplicaciones de etiquetas para XWiki, una plataforma wiki genérica. A partir de la versión 1.7 en XWiki Platform Applications Tag y anteriores a 13.10.6 y 14.4 en XWiki Platform Tag UI, el documento de etiquetas "Main.Tags" en XWiki no saneaba apropiadamente las entradas del usuario. Esto permitió a usuarios con derechos de visualización en el documento (predeterminado en un wiki público o para usuarios autenticados en wikis privados) ejecutar código Groovy, Python y Velocity arbitrario con derechos de programación. Esto también permitió omitir todas las verificaciones de derechos y, por lo tanto, la modificación y divulgación de todo el contenido almacenado en la instalación de XWiki. La vulnerabilidad podría usarse para afectar la disponibilidad de la wiki. En XWiki versiones anteriores a 13.10.4 y la 14.2, esto puede combinarse con CVE-2022-36092, lo que significa que no son requeridos derechos para realizar el ataque. La vulnerabilidad ha sido parcheada en versiones 13.10.6 y 14.4. Como mitigación, el parche que corrige el problema puede aplicarse manualmente al documento "Main.Tags" o la versión actualizada de ese documento puede importarse desde la versión 14.4 de xwiki-platform-tag-ui usando la funcionalidad import en la Interfaz de Usuario de administración en XWiki versión 10.9 y posterior

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-04-29 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x	2024-08-03
https://jira.xwiki.org/browse/XWIKI-19747	2024-08-03

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427	2023-06-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 1.7 < 13.10.6 Search vendor "Xwiki" for product "Xwiki" and version " >= 1.7 < 13.10.6"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 14.0 < 14.4 Search vendor "Xwiki" for product "Xwiki" and version " >= 14.0 < 14.4"		-		Affected