SonicWall reports CVE-2024-31984, a critical remote code execution flaw in XWiki caused by insufficient input validation of space titles, with a CVSS of 9.9. It can be mitigated with patches or a manual workaround until upgrades are deployed. #XWiki #Solr #Groovy #CSRF
Keypoints
- The vulnerability CVE-2024-31984 allows remote, authenticated attackers to execute arbitrary code on the target server by crafting document titles.
- Affected XWiki Platform versions span from 7.2-rc-1 up to but not including patched versions 14.10.20, 15.5.4 and 15.10-rc-1.
- A patch is provided in newer releases (14.10.20, 15.5.4, 15.10-rc-1) and a manual patch exists for Main.SolrSpaceFacet to mitigate until upgrades are possible.
- The root cause is inadequate input validation of title fields, allowing script elements in titles to be executed during rendering.
-
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The vulnerability is exploited by the Solr-based search mechanism, enabling remote code execution via crafted titles. “The four main triggers of the vulnerability in XWiki, allowing remote code execution via the Solr-based search mechanism, can be detailed as follows:”
- [T1059] Command and Scripting Interpreter – The script embedded in the document’s title uses Groovy code that executes shell commands. “the script embedded in the document’s title, using XWiki’s syntax to embed Groovy code that executes shell commands.”
- [T1078] Valid Accounts – Any user with the ability to edit titles of a space can exploit this vulnerability. “Any user with the ability to edit titles of a space, which by default is every user, can exploit this vulnerability.”
Indicators of Compromise
- [URL] context – login flow and exploitation endpoints. loginPageURL = baseURL + ‘xwiki/bin/login/XWiki/XWikiLogin?loginLink=1’, loginURL = baseURL + ‘xwiki/bin/loginsubmit/XWiki/XWikiLogin’
- [URL] context – document handling and search steps. Document edit/preview and search actions use URLs like baseURL + “xwiki/bin/preview/” + targetDoc and baseURL + “xwiki/bin/view/Main/Search?text=test”
- [Version] context – affected and patched versions to monitor for exposure and upgrade needs – affected: 7.2-rc-1 up to 15.10-rc-1; patched: 14.10.20, 15.5.4, 15.10-rc-1
- [Credential] context – attacker configures with server URL, username and password to establish a session prior to exploitation
Read more: https://blog.sonicwall.com/en-us/2024/05/xwiki-remote-code-execution-vulnerability/