Cyber Resilience

CVE-2022-41931

CriticalPublic PoCRCE

Published: 23 November 2022

Published
23 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1893 95.5th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41931 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

xwiki-platform-icon-ui contains an eval injection vulnerability (CWE-95) that affects the icon picker macro in XWiki. Any user able to view commonly accessible documents can supply macro parameters that are not properly neutralized, resulting in execution of arbitrary Groovy, Python, or Velocity code on the server. The flaw is present in versions prior to the releases that contain the fix.

An attacker with view rights on the affected documents can therefore achieve remote code execution with the privileges of the XWiki application server, including full read, write, and delete access to wiki content and the ability to affect confidentiality, integrity, and availability across the instance. The CVSS 3.1 score of 9.9 reflects the combination of network attack vector, low complexity, and the scope change that allows the impact to extend beyond the vulnerable component.

The GitHub Security Advisory and XWiki Jira entry state that the issue is resolved in XWiki 13.10.7, 14.5, and 14.4.2. Administrators can either apply the referenced commit manually to the IconThemesCode.IconPickerMacro object or import the corrected document from the XAR archive of a patched release; both the advisory and the commit itself document these workarounds. The associated EPSS score has remained flat at 0.1893 with no material increase after disclosure.

EU & UK References

Vulnerability details

xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to…

more

improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
14.4.3, 14.4.4, 6.4 · 6.4 — 13.10.7 · 14.0.0 — 14.4.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References