ghsa-rr6p-3pfg-562j
Vulnerability from github
Published
2025-02-20 20:16
Modified
2025-02-20 22:53
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
Details

Impact

Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable.

Patches

This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.

Workarounds

This line in Main.SolrSearchMacros can be edited to match the rawResponse macro defined here with a content type of application/xml, instead of simply outputting the content of the feed.

References

  • https://jira.xwiki.org/browse/XWIKI-22149
  • https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40

Attribution

This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3-milestone-2"
            },
            {
              "fixed": "15.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-20T20:16:21Z",
    "nvd_published_at": "2025-02-20T20:15:46Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAny guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on an instance, without being logged in, go to `\u003chost\u003e/xwiki/bin/get/Main/SolrSearch?media=rss\u0026text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.\n\n### Patches\nThis vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.\n\n### Workarounds\n[This line](https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955) in `Main.SolrSearchMacros` can be edited to match the `rawResponse` macro defined [here](https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824) with a content type of `application/xml`, instead of simply outputting the content of the feed.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22149\n* https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40\n\n### Attribution\nThis vulnerability has been reported by John Kwak for Trend Micro\u0027s Zero Day Initiative.",
  "id": "GHSA-rr6p-3pfg-562j",
  "modified": "2025-02-20T22:53:32Z",
  "published": "2025-02-20T20:16:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform allows remote code execution as guest via SolrSearchMacros request"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.