CVE-2024-31997
Published: 10 April 2024
Summary
CVE-2024-31997 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform is affected by a remote code execution vulnerability in versions prior to 14.10.19, 15.5.4, and 15.10-rc-1. The root cause is that parameters supplied to UI extensions are unconditionally interpreted as Velocity code and evaluated with full programming rights, regardless of the caller's privileges. This stems from insufficient authorization checks when processing UI extension definitions, as indicated by the associated CWE-862.
Any authenticated user with edit rights on a document, such as their own profile page, can register a malicious UI extension and thereby execute arbitrary code on the server. Successful exploitation grants complete control over the XWiki instance, allowing attackers to compromise the confidentiality, integrity, and availability of all wiki content and connected systems. The issue carries a CVSS 3.1 score of 9.9 reflecting its network-accessible, low-complexity nature and critical impact.
The vulnerability was addressed in the releases XWiki 14.10.19, 15.5.4, and 15.9-RC1 through changes that prevent unrestricted Velocity execution of UI extension parameters. No workarounds are documented. Details are available in the GitHub security advisory GHSA-c2gg-4gq4-jv5j, the linked commits, and the Jira issue XWIKI-21335.
The EPSS score reached a peak of 0.6025 with a current value of 0.5368, indicating notable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1179
Vulnerability details
XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's…
more
own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. No known workarounds are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.