ExploitCVE-2024-31982
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)
Summary
XWiki's database search feature contains a vulnerability that allows remote code execution through the search text. This vulnerability affects both public and private wikis, as the database search is accessible to all users by default. An attacker can craft a malicious search query that executes arbitrary code on the server, compromising the entire XWiki installation. The vulnerability can be exploited without authentication, making it particularly dangerous.
Impact
The impact of this vulnerability is severe and far-reaching: 1. Complete system compromise: An attacker can gain full control over the vulnerable XWiki server by executing arbitrary code. 2. Data breach: Sensitive information stored in the wiki could be accessed and exfiltrated. 3. System takeover: The attacker could gain control over the server hosting the XWiki installation. 4. Malicious activities: The compromised server could be used for unauthorized activities such as cryptocurrency mining, ransomware deployment, or as a launchpad for further network intrusion. 5. Loss of confidentiality, integrity, and availability: The vulnerability affects the core functionality and trust of the entire application. The severity is underscored by its CVSS v3.1 base score of 10.0, which is the highest possible score, indicating critical severity. The attack vector is network-based, requires low complexity, no privileges, and no user interaction, with the potential to change the scope of the attack.
Exploitation
Multiple proof-of-concept exploits are available on github.com, github.com, github.com. Its exploitation has been reported by various sources, including github.com.
Patch
A patch is available to address this vulnerability. It was released on 2024-04-10, as per the Github Advisory. It is critical to apply this patch as soon as possible on all affected XWiki installations to mitigate the risk.
Mitigation
Until the patch can be applied, consider the following mitigation strategies: 1. Restrict access to the /xwiki/bin/get/Main/DatabaseSearch page to only trusted users and IPs. 2. If the database search feature is not critical, consider disabling it temporarily. 3. Implement strong authentication and access control mechanisms. 4. Monitor for suspicious activities or unauthorized access attempts. 5. Regularly backup XWiki data to ensure quick recovery in case of a successful attack. However, applying the official patch should be prioritized as the primary and most effective mitigation strategy. Given the critical nature of this vulnerability and the availability of multiple proof-of-concept exploits, patching should be treated as an urgent priority.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Timeline
Detection for the vulnerability has been added to Qualys (998037)
A CVSS base score of 10 has been assigned.
Feedly found the first article mentioning CVE-2024-31982. See article
NVD published the first details for CVE-2024-31982
EPSS Score was set to: 0.05% (Percentile: 13.8%)
Feedly estimated the CVSS score as HIGH
Attacks in the wild have been reported by PoC-in-GitHub RSS. See article