CVE-2024-55662
Published: 12 December 2024
Summary
CVE-2024-55662 is a critical-severity Static Code Injection (CWE-96) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform contains a remote code execution vulnerability affecting the Extension Repository Application component. The flaw impacts versions from 3.3-milestone-1 through 15.10.8 and 16.2.x, where the application fails to enforce proper authorization checks, allowing unauthorized code execution that requires programming rights. The issue is tracked under CVEs associated with static code injection, incorrect authorization, and improper code generation controls, and carries a CVSS score of 9.9.
Any authenticated user on an affected instance with the Extension Repository Application enabled can exploit the vulnerability to run arbitrary server-side code. Successful exploitation grants full control equivalent to programming rights, enabling actions such as data exfiltration, system modification, or further lateral movement within the environment.
Official advisories recommend upgrading to XWiki 15.10.9 or 16.3.0 to resolve the issue. As a workaround, administrators can disable the Extension Repository Application on instances that do not require it, or manually apply the security patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the ExtensionCode.ExtensionSheet and ExtensionCode.ExtensionAuthorsDisplayer pages.
The EPSS score rose from a low baseline to a peak of 0.4754, indicating emerging exploitation interest after disclosure before receding to the current value of 0.1277.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3481
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability…
more
has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.