Cyber Resilience

CVE-2024-52299

High

Published: 13 November 2024

Published
13 November 2024
Modified
18 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0022 44.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52299 is a high-severity Generation of Predictable Numbers or Identifiers (CWE-340) vulnerability in Xwiki Pdf Viewer Macro. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip…

more

on the digest stream doesn't update the digest. This is fixed in 2.5.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The vulnerability in XWiki's PDFViewerService enables bypassing attachment access controls via flawed key computation, allowing unauthorized file access and discovery (e.g., via Page Index JSON listing protected attachments), exploitation of a public-facing wiki application, and collection of data from information repositories.

Affected Assets

xwiki
pdf viewer macro
≤ 2.5.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-340

Controlled key-establishment processes produce unpredictable key values instead of values derived from observable or guessable state.

References