CVE-2023-41046: Velocity execution without script rights in Xwiki platform
First published: Fri Sep 01 2023(Updated: )
### Impact It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the former, the syntax of the document needs to be set the `xwiki/1.0` (this syntax doesn't need to be installed). In both cases, when adding the property to an object, the Velocity code is executed regardless of the rights of the author of the property (edit right is still required, though). In both cases, the code is executed with the correct context author so no privileged APIs can be accessed. However, Velocity still grants access to otherwise inaccessible data and APIs that could allow further privilege escalation. At least for "VelocityCode", this behavior is most likely very old but only since XWiki 7.2, script right is a separate right, before that version all users were allowed to execute Velocity and thus this was expected and not a security issue. ### Patches This has been patched in XWiki 14.10.10 and 15.4 RC1. ### Workarounds There are no known workarounds. ### References * https://jira.xwiki.org/browse/XWIKI-20847 * https://jira.xwiki.org/browse/XWIKI-20848 * https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=7.2<14.10.10 | |
| Xwiki Xwiki | >=15.0<15.4 | |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=15.0-rc-1<15.4-rc-1 | 15.4-rc-1 |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=7.2<14.10.10 | 14.10.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
- https://jira.xwiki.org/browse/XWIKI-20847
- https://jira.xwiki.org/browse/XWIKI-20848
- https://nvd.nist.gov/vuln/detail/CVE-2023-41046
- https://github.com/advisories/GHSA-m5m2-h6h9-p2c8 (Advisory)
Frequently Asked Questions
What is CVE-2023-41046?
CVE-2023-41046 is a vulnerability in XWiki that allows the execution of Velocity code without script rights.
What is the impact of CVE-2023-41046?
The impact of CVE-2023-41046 is the ability to execute Velocity code without having script rights, potentially leading to remote code execution.
How can the CVE-2023-41046 vulnerability be exploited?
The CVE-2023-41046 vulnerability can be exploited by creating an XClass with a property of type 'TextArea' and content type 'VelocityCode' or 'VelocityWiki', with specific syntax.
Which software versions are affected by CVE-2023-41046?
XWiki versions 7.2 to 14.10.10, and versions 15.0-rc-1 to 15.4-rc-1 are affected by CVE-2023-41046.
How can I fix CVE-2023-41046?
To fix CVE-2023-41046, upgrade to XWiki version 15.4 or apply the recommended patches mentioned in the XWiki security advisory.
- collector/nvd-api
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-m5m2-h6h9-p2c8
- alias/CVE-2023-41046
- collector/nvd-cve
- collector/github-advisory
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/severity
- agent/title
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/7.2
- version/xwiki xwiki/15.0
- package-manager/maven