Cyber Resilience

CVE-2024-31997

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5368 98.0th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31997 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform is affected by a remote code execution vulnerability in versions prior to 14.10.19, 15.5.4, and 15.10-rc-1. The root cause is that parameters supplied to UI extensions are unconditionally interpreted as Velocity code and evaluated with full programming rights, regardless of the caller's privileges. This stems from insufficient authorization checks when processing UI extension definitions, as indicated by the associated CWE-862.

Any authenticated user with edit rights on a document, such as their own profile page, can register a malicious UI extension and thereby execute arbitrary code on the server. Successful exploitation grants complete control over the XWiki instance, allowing attackers to compromise the confidentiality, integrity, and availability of all wiki content and connected systems. The issue carries a CVSS 3.1 score of 9.9 reflecting its network-accessible, low-complexity nature and critical impact.

The vulnerability was addressed in the releases XWiki 14.10.19, 15.5.4, and 15.9-RC1 through changes that prevent unrestricted Velocity execution of UI extension parameters. No workarounds are documented. Details are available in the GitHub security advisory GHSA-c2gg-4gq4-jv5j, the linked commits, and the Jira issue XWIKI-21335.

The EPSS score reached a peak of 0.6025 with a current value of 0.5368, indicating notable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's…

more

own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. No known workarounds are available.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 14.10.19 · 15.0 — 15.5.4 · 15.6 — 15.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

References