xwiki xwiki CVE-2022-29253 is a vulnerability in Xwiki
Published on May 25, 2022

Path Traversal in XWiki Platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.

Github Repository NVD

Vulnerability Analysis

CVE-2022-29253 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

Path Traversal: '../filedir'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2022-29253 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2022-29253

Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.

Xwiki
 

Affected Versions

xwiki-platform Version >= 8.3-rc-1, < 13.10.3 is affected by CVE-2022-29253

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-29253

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.platform:xwiki-platform-oldcore >= 8.3-rc-1, < 13.10.3 13.10.3

Exploit Probability

EPSS
0.06%
Percentile
19.71%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.