XWiki Office Converter Path Traversal RCE pre-15.3RC1 (v3.5-14.10.8)
CVE-2023-37913 Published on October 25, 2023
org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter.
Vulnerability Analysis
CVE-2023-37913 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-37913. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2023-37913 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2023-37913
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 3.5-milestone-1, < 14.10.8 is affected.
- Version >= 15.0-rc-1, < 15.3-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-37913
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-office-importer | >= 3.5-milestone-1, < 14.10.8 | 14.10.8 |
| maven | org.xwiki.platform:xwiki-platform-office-importer | >= 15.0-rc-1, < 15.3-rc-1 | 15.3-rc-1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.