CVE-2022-24897

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24897
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24897.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-24897
Aliases
Published
2022-05-02T22:15:09Z
Modified
2024-10-12T09:20:49.486368Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events

Affected versions

xwiki-commons-7.*

xwiki-commons-7.3-milestone-2
xwiki-commons-7.4-milestone-1
xwiki-commons-7.4-milestone-2

xwiki-commons-8.*

xwiki-commons-8.0-milestone-1
xwiki-commons-8.0-milestone-2
xwiki-commons-8.1-milestone-1
xwiki-commons-8.1-milestone-2
xwiki-commons-8.2-milestone-1
xwiki-commons-8.2-milestone-2
xwiki-commons-8.3-milestone-1
xwiki-commons-8.3-milestone-2