CVE-2024-21651 - Vulnerability Details - OpenCVE

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00379.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0294	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Github GHSA	GHSA-8959-rfxh-r4j4	XWiki vulnerable to Denial of Service attack through attachments

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4
https://jira.xwiki.org/browse/XCOMMONS-2796

History

Tue, 03 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-08T23:30:03.580Z

Updated: 2025-06-03T14:34:29.906Z

Reserved: 2023-12-29T16:10:20.366Z

Link: CVE-2024-21651

Vulnrichment

Updated: 2024-08-01T22:27:36.137Z

NVD

Status : Modified

Published: 2024-01-09T00:15:44.600

Modified: 2024-11-21T08:54:48.300

Link: CVE-2024-21651

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.366Z", "datePublished": "2024-01-08T23:30:03.580Z", "dateUpdated": "2025-06-03T14:34:29.906Z"}, "containers": {"cna": {"title": "XWiki Denial of Service attack through attachments", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 14.10, < 14.10.18", "status": "affected"}, {"version": ">= 15.0-rc-1, < 15.5.3", "status": "affected"}, {"version": ">= 15.6-rc-1, < 15.8-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T23:30:03.580Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.\n"}], "source": {"advisory": "GHSA-8959-rfxh-r4j4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.137Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:43:38.745493Z", "id": "CVE-2024-21651", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:34:29.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://jira.xwiki.org/browse/XCOMMONS-2796", "name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.137Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21651", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T15:43:38.745493Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:43:40.580Z"}}], "cna": {"title": "XWiki Denial of Service attack through attachments", "source": {"advisory": "GHSA-8959-rfxh-r4j4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 14.10, < 14.10.18"}, {"status": "affected", "version": ">= 15.0-rc-1, < 15.5.3"}, {"status": "affected", "version": ">= 15.6-rc-1, < 15.8-rc-1"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://jira.xwiki.org/browse/XCOMMONS-2796", "name": "https://jira.xwiki.org/browse/XCOMMONS-2796", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T23:30:03.580Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21651", "state": "PUBLISHED", "dateUpdated": "2025-06-03T14:34:29.906Z", "dateReserved": "2023-12-29T16:10:20.366Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-08T23:30:03.580Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "52956074-859F-4743-9EB0-0AC72FCA2556", "versionEndExcluding": "14.10.18", "versionStartIncluding": "14.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "D58E15DE-ACD3-4DFC-A003-241C8C300F3C", "versionEndExcluding": "15.5.3", "versionStartIncluding": "15.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "90D1780F-9883-4D3D-8562-DEEE3527F9FF", "versionEndExcluding": "15.8", "versionStartIncluding": "15.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.\n"}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. Un usuario capaz de adjuntar un archivo a una p\u00e1gina puede publicar un archivo TAR con formato incorrecto manipulando los encabezados de los tiempos de modificaci\u00f3n del archivo, que cuando Tika los analiza, podr\u00eda causar un problema de denegaci\u00f3n de servicio debido al consumo de CPU. Esta vulnerabilidad ha sido parcheada en XWiki 14.10.18, 15.5.3 y 15.8 RC1."}], "id": "CVE-2024-21651", "lastModified": "2024-11-21T08:54:48.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-09T00:15:44.600", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8959-rfxh-r4j4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XCOMMONS-2796"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}