critical
9
CWE
284 352
Advisory Published
CVE Published
Updated

CVE-2023-40573: XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution

First published: Wed Aug 23 2023(Updated: )

### Impact XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. For successful exploitation, the needs to have edit right on a document whose content has last been changed by a user with programming right. This could be the user profile for users created by admins. In this document, the attacker can create an object of class `XWiki.SchedulerJobClass` using the object editor. By setting job class to `com.xpn.xwiki.plugin.scheduler.GroovyJob`, cron expression to `0 0/5 * * * ?` and job script to `services.logging.getLogger("foo").error("Job content executed")`, the attacker can create a job. Now this job just needs to be triggered or scheduled. This can be achieved by embedding an image with the following XWiki syntax in any document that is visited by an admin: `[[image:path:/xwiki/bin/view/Scheduler/?do=trigger&which=Attacker.Document]]` where `Attacker.Document` is the document that has been prepared by the attacker. If the attack is successful, an error log entry with "Job content executed" will be produced. ### Patches This vulnerability has been patched in XWiki 14.10.9 and 15.4RC1. ### Workarounds There is no workaround. ### References * https://jira.xwiki.org/browse/XWIKI-20852 * https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.xwiki.platform:xwiki-platform-scheduler-api>=15.0-rc-1<15.4-rc-1
15.4-rc-1
maven/com.xpn.xwiki.platform.plugins:xwiki-plugin-scheduler>=1.3
maven/org.xwiki.platform:xwiki-platform-scheduler-api<14.10.9
14.10.9
Xwiki Xwiki<14.10.9
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
Xwiki Xwiki=15.2
Xwiki Xwiki=15.2-rc1
Xwiki Xwiki=15.3
Xwiki Xwiki=15.3-rc1

Remedy

https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662

Remedy

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj

Remedy

https://jira.xwiki.org/browse/XWIKI-20852

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-40573?

    CVE-2023-40573 is a vulnerability in XWiki Platform that allows an attacker to execute arbitrary scripts due to a CSRF vulnerability in the job scheduler.

  • What is the severity of CVE-2023-40573?

    CVE-2023-40573 has a severity level of critical.

  • How does CVE-2023-40573 impact XWiki?

    CVE-2023-40573 allows an attacker to modify or add a job script to a document without modifying the content author, leading to potential execution of arbitrary scripts.

  • How can I fix CVE-2023-40573 in XWiki?

    To fix CVE-2023-40573, update XWiki Platform to version 15.4-rc-1 or apply the recommended patches.

  • Where can I find more information about CVE-2023-40573?

    You can find more information about CVE-2023-40573 in the official XWiki Platform security advisories and the associated GitHub commit.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203