CVE-2022-41931
Published: 23 November 2022
Summary
CVE-2022-41931 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
xwiki-platform-icon-ui contains an eval injection vulnerability (CWE-95) that affects the icon picker macro in XWiki. Any user able to view commonly accessible documents can supply macro parameters that are not properly neutralized, resulting in execution of arbitrary Groovy, Python, or Velocity code on the server. The flaw is present in versions prior to the releases that contain the fix.
An attacker with view rights on the affected documents can therefore achieve remote code execution with the privileges of the XWiki application server, including full read, write, and delete access to wiki content and the ability to affect confidentiality, integrity, and availability across the instance. The CVSS 3.1 score of 9.9 reflects the combination of network attack vector, low complexity, and the scope change that allows the impact to extend beyond the vulnerable component.
The GitHub Security Advisory and XWiki Jira entry state that the issue is resolved in XWiki 13.10.7, 14.5, and 14.4.2. Administrators can either apply the referenced commit manually to the IconThemesCode.IconPickerMacro object or import the corrected document from the XAR archive of a patched release; both the advisory and the commit itself document these workarounds. The associated EPSS score has remained flat at 0.1893 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7241
Vulnerability details
xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to…
more
improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.