CVE-2022-41931

xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01	Patch Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7	Exploit Patch Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19805	Exploit Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:6.4:milestone2::::::
	cpe:2.3:a:xwiki:xwiki:6.4:milestone3::::::
	cpe:2.3:a:xwiki:xwiki:14.4.3:::::::*
	cpe:2.3:a:xwiki:xwiki:14.4.4:::::::*

History

No history.

Information

Published : 2022-11-23 20:15

Updated : 2024-02-28 19:51

NVD link : CVE-2022-41931

Mitre link : CVE-2022-41931

CVE.ORG link : CVE-2022-41931

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2022-41931", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2022-11-23T20:15:10.023", "references": [{"url": "https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://jira.xwiki.org/browse/XWIKI-19805", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-95"}]}], "descriptions": [{"lang": "en", "value": "xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes."}, {"lang": "es", "value": "xwiki-platform-icon-ui es vulnerable a una Neutralizaci\u00f3n Inadecuada de Directivas en C\u00f3digo Evaluado Din\u00e1micamente (\"Inyecci\u00f3n de Evaluaci\u00f3n\"). Cualquier usuario con derechos de visualizaci\u00f3n de documentos com\u00fanmente accesibles, incluida la macro del selector de iconos, puede ejecutar c\u00f3digo Groovy, Python o Velocity arbitrario en XWiki debido a una neutralizaci\u00f3n inadecuada de los par\u00e1metros macro de la macro del recolector de iconos. El problema se solucion\u00f3 en XWiki 13.10.7, 14.5 y 14.4.2. Workarounds: el [parche](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) se puede aplicar manualmente editando `IconThemesCode.IconPickerMacro` en el editor de objetos. El documento completo tambi\u00e9n se puede reemplazar por la versi\u00f3n actual importando el documento desde el archivo XAR de una versi\u00f3n fija, ya que los \u00fanicos cambios en el documento han sido correcciones de seguridad y peque\u00f1os cambios de formato."}], "lastModified": "2022-11-30T17:00:37.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2983665-C5BF-4D43-983A-585BA30399E7", "versionEndExcluding": "13.10.7", "versionStartExcluding": "6.4"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5DF0A47-B3DD-4A49-BA56-35374D029F02", "versionEndExcluding": "14.4.2", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.4:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2ED3CF77-5A0B-4A1C-9F83-B5851D415D3E"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.4:milestone3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34004E8E-213E-4D7F-A6BF-953A5A5C3CA6"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:14.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9646DA8-7C5A-458E-975C-A67099D43047"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:14.4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDAB9E27-2E41-44EA-BBCB-8015B22272B7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}