CVE-2023-26470
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-26470
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26470.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-26470
- Aliases
- Published
- 2023-03-02T18:37:23.588Z
- Modified
- 2025-11-27T07:32:29.353675Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- In XWiki Platform, saving a document with a large object number leads to persistent OOM errors
- Details
-
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2023/26xxx/CVE-2023-26470.json", "cwe_ids": [ "CWE-400" ] }- References
-
- https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9c1a525e6
- https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164
- https://github.com/xwiki/xwiki-platform/commit/fdfce062642b0ac062da5cda033d25482f4600fa
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-92wp-r7hm-42g7
- https://jira.xwiki.org/browse/XWIKI-19223
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-31a3a081",
"target": {
"function": "createXObject",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "162982444882706060456911939495662140995",
"length": 478.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-376210bc",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"line_hashes": [
"107365386055247957824311621861029421179",
"10806648339512880229082280402232427470",
"18112771901228656368339513250831176279",
"283088551155077798911024095581038912407",
"47638493996312065551281523437180186244",
"37120120539498598035434808918923882335",
"103390841842947101317514130657887559406",
"131995932511695576457973733735466156404",
"124540728414861999004626094801985644456",
"88575755822371837925463420844344993487",
"59091495087567423216286060841633392902",
"259995434559700851456469657647869156232",
"24104785770449812015482726083544103088",
"325752346233334507102580646611322052410",
"335493838360558633997221643032722723623",
"259518320300250198967200787227260670551",
"44504848073072710872448324673328629532",
"208826133914309042692146120418029869738",
"325387585222225192812167325320185267435",
"173495676072195711075235621706515083876",
"74094923031466189632352938471091954614",
"206429948846584780752191205639549453619",
"270716188235162356359892803584453759689",
"254208590809439537575177621839021413421",
"260681395229522214299579451677641626835",
"80600619688287897006873020681000750102",
"158813849944545713789005409986357862089",
"69283635850891306178353613191906725222",
"241264921026672593184902832976529633147",
"257707398589898655730526862528772446456",
"300470075703282749703013450039391741596",
"309069382040310658415306366736795645345",
"237324270421269425198676450125529564888",
"248102580921084048401372352722599763598",
"303396169525978701271132901243215530149",
"150098391235913778837021909308013488708",
"55702840428771902954452225352204432296",
"200201902988366128963749690401281930120",
"261328947899064030574299502661049104030",
"51163973233630868926143316052401821281",
"21163168060610056249145120485840946195",
"10993013878205153299647059097865040255",
"306939114046088543384664494135205702771",
"189049671301690274894388599286403752257",
"213926117780710060132371092435853466513",
"29678648962872236111226882292325227295",
"293334872681181926762642000618397787129",
"247661924688597548512804768886245380427"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-4ea56447",
"target": {
"function": "setXObject",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "75814401460192767326205927559604911598",
"length": 422.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-6a05885d",
"target": {
"function": "setXObjects",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "118873765501090225650691978441706795774",
"length": 378.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-7fd6fed8",
"target": {
"function": "setXObjects",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "329622958765188527138551009095177868516",
"length": 290.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-8e78bc8a",
"target": {
"function": "getXObjects",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "92377858042354679591238550177930840001",
"length": 47.0
},
"signature_type": "Function"
},
{
"source": "https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2023-26470-a57e7626",
"target": {
"function": "setXObject",
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/doc/XWikiDocument.java"
},
"digest": {
"function_hash": "330889214531247904948492658369049316677",
"length": 413.0
},
"signature_type": "Function"
}
]