CVE-2022-36100
Published: 08 September 2022
Summary
CVE-2022-36100 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform Applications Tag and XWiki Platform Tag UI contain an input sanitization flaw in the Main.Tags document. Versions starting at 1.7 for Applications Tag and prior to 13.10.6 and 14.4 for Tag UI fail to sanitize user-supplied content, permitting injection of unsanitized Groovy, Python, and Velocity scripts that execute with programming rights.
An attacker who can view the document—any user on a public wiki or any authenticated user on a private wiki—can therefore run arbitrary code, bypass all access controls, read or modify any stored content, and degrade wiki availability. On releases before 13.10.4 and 14.2 the same flaw can be chained with CVE-2022-36092 to remove the view-right prerequisite entirely.
The issue is fixed in XWiki 13.10.6 and 14.4. The referenced GitHub advisory and commit describe both the patch and a workaround that consists of manually editing Main.Tags or importing the corrected document from the 14.4 release via the administration UI on XWiki 10.9 and later. The associated EPSS score has remained flat at 0.0828 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6660
Vulnerability details
XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags…
more
document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.
Directly prevents execution of attacker-supplied code written into data memory regions.