CVE-2024-31982
Published: 10 April 2024
Summary
CVE-2024-31982 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform is a generic wiki platform affected by a remote code execution vulnerability in its database search functionality. The issue, present from version 2.4-milestone-1 through versions prior to 14.10.20, 15.5.4, and 15.10-rc-1, stems from insufficient neutralization of user-supplied search text that is evaluated by the database layer, corresponding to CWE-94 and CWE-95. This grants an attacker the ability to execute arbitrary code with full impact on confidentiality, integrity, and availability of the XWiki instance, reflected in the CVSS 10.0 score.
Any unauthenticated visitor to a public wiki or authenticated user on a closed wiki can exploit the flaw, as the database search page is accessible by default to all users and requires no special privileges or user interaction.
Official patches are available in XWiki 14.10.20, 15.5.4, and 15.10RC1. The project advisory and commits recommend either applying the fix directly to the Main.DatabaseSearch page or removing that page entirely when the legacy database search interface is not required.
The EPSS score remains at a sustained high level near 0.94 with no material rise from a low baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1055
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a…
more
public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.