Cyber Resilience

CVE-2022-36099

CriticalPublic PoCRCE

Published: 08 September 2022

Published
08 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2170 95.9th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36099 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform's Wiki UI Main Wiki component is affected by an injection vulnerability in the XWikiServerClassSheet (or WikiManager.XWikiServerClassSheet) that permits arbitrary wiki syntax, including Groovy, Python, and Velocity macros, to be supplied through a URL parameter. The flaw impacts versions from 5.3-milestone-2 through 13.10.5 and 14.3.x, allowing script execution when an attacker has view rights on the sheet and at least one page persisted with programming rights, conditions that are common on both public read-only and authenticated private installations.

An authenticated user meeting the view-access prerequisites can therefore execute code that bypasses all rights checks, resulting in full read/write access to every document, potential denial of service, and complete compromise of the XWiki instance. The attack requires no user interaction beyond crafting a malicious request and leverages the sheet's failure to sanitize or escape the supplied parameter before macro evaluation.

The official XWiki advisories and the patches released in 13.10.6 and 14.4 address the issue by correcting the input handling inside the affected sheet. Administrators can apply the fix by manually editing XWiki.XWikiServerClassSheet, importing the corrected document from the 14.4 xwiki-platform-wiki-ui-mainwiki package via the administration import feature, or upgrading to a patched release.

EPSS for the CVE has remained flat at 0.2170 with no material increase after disclosure.

EU & UK References

Vulnerability details

XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and…

more

Velocity script macros via the request (URL parameter) using the `XWikiServerClassSheet` if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a public read-only XWiki installation or a private XWiki installation where the user has an account. This allows arbitrary Groovy/Python/Velocity code execution which allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. This has been patched in versions 13.10.6 and 14.4. As a workaround, edit the affected document `XWiki.XWikiServerClassSheet` or `WikiManager.XWikiServerClassSheet` and manually perform the changes from the patch fixing the issue. On XWiki versions 12.0 and later, it is also possible to import the document `XWiki.XWikiServerClassSheet` from the xwiki-platform-wiki-ui-mainwiki package version 14.4 using the import feature of the administration application as there have been no other changes to this document since XWiki 12.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
5.3 · 5.4 — 13.10.6 · 14.0 — 14.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-116

Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References