XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2 | Patch Third Party Advisory |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg | Third Party Advisory |
https://jira.xwiki.org/browse/XWIKI-19349 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Jun 2022, 19:48
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg - Third Party Advisory | |
References | (MISC) https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2 - Patch, Third Party Advisory | |
References | (MISC) https://jira.xwiki.org/browse/XWIKI-19349 - Vendor Advisory | |
CPE | cpe:2.3:a:xwiki:xwiki:8.3:rc1:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 2.7 |
CWE |
25 May 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-05-25 21:15
Updated : 2024-02-04 22:29
NVD link : CVE-2022-29253
Mitre link : CVE-2022-29253
CVE.ORG link : CVE-2022-29253
JSON object : View
Products Affected
xwiki
- xwiki