FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-37901

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Jul 31, 2024

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A critical vulnerability in XWiki allows any user with edit rights on any page to perform arbitrary remote code execution. This is achieved by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. The vulnerability affects the entire XWiki installation, compromising its confidentiality, integrity, and availability. It impacts XWiki versions from 9.2 up to, but not including, 14.10.21, from 15.0 up to, but not including, 15.5.5, and from 15.6 up to, but not including, 15.10.2.

Impact

This vulnerability has severe impacts: 1. Remote Code Execution: Attackers can execute arbitrary code on the server, potentially leading to full system compromise. 2. Privilege Escalation: Users with only edit rights can gain programming-level access, bypassing intended access controls. 3. Data Breach: The confidentiality impact is high, meaning sensitive information stored in the XWiki installation could be exposed. 4. System Integrity: With high integrity impact, attackers could modify or delete critical data and configurations. 5. Service Disruption: The high availability impact suggests that attackers could potentially crash or render the XWiki service inoperable. The attack is particularly dangerous as it requires only low privileges (edit rights) and no user interaction, making it relatively easy to exploit. The CVSS v3.1 base score is 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability was publicly disclosed on July 31, 2024, and a patch was added on the same day according to the Github Advisory. Multiple patch commits have been made available on GitHub. Users should update to XWiki versions 14.10.21, 15.5.5, or 15.10.2 or later, depending on their current version.

Mitigation

1. Apply the patch immediately: Update to the latest version of XWiki as soon as possible. 2. Access Control Review: Temporarily restrict edit rights to trusted users only until the patch can be applied. 3. Monitor Logs: Actively monitor for suspicious activities, particularly looking for unauthorized access attempts or unexpected log entries. 4. User Education: Inform users about the risks of this vulnerability and the importance of responsible editing practices. 5. Network Segmentation: If possible, isolate XWiki instances from critical systems until patching is complete. 6. Backup: Ensure all data is securely backed up in case of any compromise. 7. Security Assessment: After patching, conduct a thorough security assessment to ensure no unauthorized changes were made to the system.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 9.9 has been assigned.

Jul 31, 2024 at 3:30 PM / github_advisories
First Article

Feedly found the first article mentioning CVE-2024-37901. See article

Jul 31, 2024 at 3:30 PM / GitHub Advisory Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 31, 2024 at 3:30 PM
CVE Assignment

NVD published the first details for CVE-2024-37901

Jul 31, 2024 at 4:15 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.7%)

Aug 1, 2024 at 9:46 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731743)

Sep 4, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 6, 2024 at 8:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Xwiki/xwiki
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1495: Firmware Corruption
+null more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more

Vendor Advisory

[GHSA-h63h-5c77-77p5] XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
GitHub Advisory Database / 3mo
To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well. To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well.

News

US-CERT Vulnerability Summary for the Week of July 29, 2024
RedPacket Security / 3mo
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links.
Vulnerability Summary for the Week of July 29, 2024
Bulletins / 3mo
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info Apache Software Foundation--Apache SeaTunnel Web Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue. 2024-07-30 9.1 CVE-2023-48396 security@apache.org security@apache.org n/a--n/a An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. 2024-07-29 9.1 CVE-2024-28805 cve@mitre.org n/a--n/a Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. 2024-07-30 9.8 CVE-2024-36572 cve@mitre.org cve@mitre.org n/a--n/a SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.
Update Wed Jul 31 22:29:12 UTC 2024
Recent Commits to cve:main / 3mo
Update Wed Jul 31 22:29:12 UTC 2024
NA - CVE-2024-37901 - XWiki Platform is a generic wiki platform...
Security-Database Alerts Monitor : Last 100 Alerts / 3mo
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding...
CVE-2024-37901
Updated CVEs from Tenable / 3mo
Critical Severity Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. Read more at https://www.tenable.com/cve/CVE-2024-37901
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-95(67)CWE-862(3425)CWE-94(4001)Xwiki(219)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial