CVE-2023-41046: XWiki Platform Unrestricted Velocity Code Execution Vulnerability

XWiki Platform is a versatile wiki platform that provides runtime services for applications built on it. A security vulnerability, identified as CVE-2023-41046, has been found in XWiki Platform, which allows unauthorized execution of Velocity code regardless of the rights of the author of the property. This vulnerability potentially enables attackers to access otherwise restricted data and APIs, leading to possible further privilege escalation.

Exploit Details

Using XWiki, it's possible to execute Velocity code without having script rights by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". Here's an example:

xClassObj.addProperty("TextArea", new TextAreaClass());
xClassObj.setPropertyAttribute("contenttype", "VelocityCode");

For "VelocityCode" content type, the syntax of the document should be set to xwiki/1.. In both cases, when adding the property to an object, regardless of the author's rights, the Velocity code is executed. Nevertheless, the code still runs with the correct context author, so no privileged APIs can be accessed directly. However, Velocity grants access to otherwise inaccessible data and APIs that could allow further privilege escalation.

It is important to note that this behavior is not a security issue in XWiki versions prior to 7.2 since all users could execute Velocity before the separation of "script" rights in version 7.2.

Patch and Recommendations

XWiki has patched this vulnerability in versions 14.10.10 and 15.4 RC1. Users are strongly advised to upgrade their XWiki instances to these patched versions to secure their systems from this vulnerability. There are no known workarounds for this issue.

References

1. XWiki Platform Official Site
2. XWiki 14.10.10 Release Notes
3. XWiki 15.4 RC1 Release Notes
4. CVE-2023-41046 Details

Conclusion

Security vulnerabilities involving unauthorized code execution are serious threats to any platform. In the case of XWiki, the CVE-2023-41046 vulnerability allowed potential attackers to execute Velocity code without having proper script rights. This access to restricted data and APIs posed severe risks to the security of applications built on the XWiki platform. Upgrading to patched XWiki versions (14.10.10 or 15.4 RC1) is the recommended solution to protect against this vulnerability.

Timeline

Published on: 09/01/2023 20:15:00 UTC
Last modified on: 09/07/2023 19:20:00 UTC