CVE-2024-21651 - OpenCVE

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4
https://jira.xwiki.org/browse/XCOMMONS-2796

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-08T23:30:03.580Z

Updated: 2024-08-01T22:27:36.137Z

Reserved: 2023-12-29T16:10:20.366Z

Link: CVE-2024-21651

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-09T00:15:44.600

Modified: 2024-01-12T17:15:18.467

Link: CVE-2024-21651

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.366Z", "datePublished": "2024-01-08T23:30:03.580Z", "dateUpdated": "2024-08-01T22:27:36.137Z"}, "containers": {"cna": {"title": "XWiki Denial of Service attack through attachments", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 14.10, < 14.10.18", "status": "affected"}, {"version": ">= 15.0-rc-1, < 15.5.3", "status": "affected"}, {"version": ">= 15.6-rc-1, < 15.8-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T23:30:03.580Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.\n"}], "source": {"advisory": "GHSA-8959-rfxh-r4j4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.137Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "52956074-859F-4743-9EB0-0AC72FCA2556", "versionEndExcluding": "14.10.18", "versionStartIncluding": "14.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "D58E15DE-ACD3-4DFC-A003-241C8C300F3C", "versionEndExcluding": "15.5.3", "versionStartIncluding": "15.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "90D1780F-9883-4D3D-8562-DEEE3527F9FF", "versionEndExcluding": "15.8", "versionStartIncluding": "15.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.\n"}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. Un usuario capaz de adjuntar un archivo a una p\u00e1gina puede publicar un archivo TAR con formato incorrecto manipulando los encabezados de los tiempos de modificaci\u00f3n del archivo, que cuando Tika los analiza, podr\u00eda causar un problema de denegaci\u00f3n de servicio debido al consumo de CPU. Esta vulnerabilidad ha sido parcheada en XWiki 14.10.18, 15.5.3 y 15.8 RC1."}], "id": "CVE-2024-21651", "lastModified": "2024-01-12T17:15:18.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-09T00:15:44.600", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}